Title: In addition to response_headers_to_remove, support for removing response headers by prefix would be useful
Description:
Envoy VirtualHost configuration currently supports removing headers by names with the response_headers_to_remove field.
response_headers_to_remove
(repeated [string](https://developers.google.com/protocol-buffers/docs/proto#scalar)) Specifies a list of HTTP headers that should be removed from each response handled by this virtual host.
When the list of upstream response headers to remove isn't known at "config time" or when the list of upstream response headers can change dynamically, having the ability to remove any response header with a given prefix would be useful.
Being able to remove all response headers having the prefix x-acme-inc- would limit leaking information via headers.
The remove by prefix behavior could also be generalized by removing all headers matching a configured regexp, following the RouteMatch configuration:
# Precisely one of prefix, safe_regex must be set
{
"prefix": "...",
"safe_regex": "{...}"
}
🗣️ Removing headers by prefix can already be done with the Lua filter but ideally, one wouldn't need to invoke the Lua filter for "simple" headers manipulation.
Example:
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
-- Called on the request path.
function envoy_on_request(request_handle)
end
function envoy_on_response(response_handle)
local headers = response_handle:headers()
local prefix = "x-acme-inc"
-- In the current implementation, headers cannot be modified during iteration.
-- store header names locally first and iterate over this table to remove them later
local to_remove = {}
for key, value in pairs(headers) do
if key:find(prefix, 1, true) == 1 then
response_handle:logInfo("found header matching prefix: "..key)
table.insert(to_remove, key)
end
end
for _, value in pairs(to_remove) do
response_handle:logInfo("removing header: "..value)
headers:remove(value)
end
end
If this sounds like a feature that would be accepted, I'd be happy to send a PR.
Title: In addition to response_headers_to_remove, support for removing response headers by prefix would be useful
Description:
Envoy
VirtualHost
configuration currently supports removing headers by names with theresponse_headers_to_remove
field.When the list of upstream response headers to remove isn't known at "config time" or when the list of upstream response headers can change dynamically, having the ability to remove any response header with a given prefix would be useful.
Example:
Being able to remove all response headers having the prefix
x-acme-inc-
would limit leaking information via headers. The remove by prefix behavior could also be generalized by removing all headers matching a configured regexp, following the RouteMatch configuration:🗣️ Removing headers by prefix can already be done with the Lua filter but ideally, one wouldn't need to invoke the Lua filter for "simple" headers manipulation.
Example:
If this sounds like a feature that would be accepted, I'd be happy to send a PR.
Relevant Links:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto.html?highlight=response_headers_to_remove#config-route-v3-virtualhost
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#pairs