Hide the secret x-sfdc-access-control header value from the SSR server and proxied requests.
Description
MRT is releasing an origin lockdown feature that locks down the MRT origin only to authorized services (i.e. a stacked CDN). An incoming HTTP request will contain the header x-sfdc-access-control: <some-secret-value> that MRT will verify.
To avoid this secret value from being leaked, this PR strips the header from the SSR origin server and proxied requests.
Types of Changes
[ ] Bug fix (non-breaking change that fixes an issue)
[ ] New feature (non-breaking change that adds functionality)
[ ] Documentation update
[ ] Breaking change (could cause existing functionality to not work as expected)
[x] Other changes (non-breaking changes that does not fit any of the above)
Breaking changes include:
Removing a public function or component or prop
Adding a required argument to a function
Changing the data type of a function parameter or return value
Adding a new peer dependency to package.json
Changes
Remove the header value from proxied requests
Remove the header value from the SSR origin request
How to Test-Drive This PR
Upload and deploy a bundle with these changes
Make a request to a proxy, and verify the proxy does not receive the header (can proxy back to the same storefront for ease)
Make a request to the SSR server, and verify the ssr code does not receive the header (can confirm through logs)
Checklists
General
[x] Changes are covered by test cases
[ ] CHANGELOG.md updated with a short description of changes (not required for documentation updates)
Accessibility Compliance
You must check off all items in one of the follow two lists:
[X] There are no changes to UI
or...
[ ] Changes were tested with a Screen Reader (iOS VoiceOver or Android Talkback) and had no issues
Hide the secret
x-sfdc-access-controlheader value from the SSR server and proxied requests.Description
MRT is releasing an origin lockdown feature that locks down the MRT origin only to authorized services (i.e. a stacked CDN). An incoming HTTP request will contain the header
x-sfdc-access-control: <some-secret-value>that MRT will verify. To avoid this secret value from being leaked, this PR strips the header from the SSR origin server and proxied requests.Types of Changes
Changes
How to Test-Drive This PR
Checklists
General
Accessibility Compliance
You must check off all items in one of the follow two lists:
or...
Localization