API security gateway HTTP 1.1 support
In its capacity as a reverse proxy, the API security gateway must modify HTTP requests and responses in addition to the changes required by policy processing.
Forwarded HTTP request headers
HTTP requests often pass through a chain of intermediaries before reaching a destination server. The HTTP 1.1 specifications define two categories of headers that are pertinent to this context.
- End-to-end headers
-
Headers requiring transmission to all recipients on the chain, such as
Content-Type
. - Hop-by-hop headers
-
Headers that are only relevant to the next recipient on the chain, such as
Connection
andKeep-Alive
.
The API security gateway never forwards hop-by-hop headers. It generally forwards all end-to-end headers, with the following exceptions:
-
Headers related to HTTP resource versioning and conditional requests, such as
If-None-Match
andIf-Modified-Since
, are never forwarded. -
Headers related to CORS, such as
Origin
orAccess-Control-Request-Method
, are never forwarded. -
Headers that you exclude by using the
allowed-headers
configuration property of an API External Server to define an allow list of forwarded headers. -
Headers that you remove by using a custom statement extension.
The API security gateway always adds the Host
, Accept-Encoding
, Via
, X-Forwarded-For
, X-Forwarded-Host
, X-Forwarded-Port
, and X-Forwarded-Proto
headers to forwarded requests. If the HTTP Connection Handler is configured to use or generate correlation IDs, then a correlation ID header is also added to the forwarded request.
You can use the http-auth-evaluation-behavior
property of a Gateway API Endpoint to alter the Authorization
header of a forwarded request.
Forwarded HTTP response headers
The API security gateway forwards most HTTP response headers, with the following exceptions:
-
The
Date
header is replaced with a value generated by the API security gateway. -
The
Content-Length
header is replaced with a value generated by the API security gateway. -
The
Location
header is replaced with a value generated by the API security gateway. -
If the HTTP Connection Handler is configured to use or generate correlation IDs, then a correlation ID header is added to the response.
-
Headers related to HTTP resource versioning and conditional requests, such as
ETag
andLast-Modified
, are never forwarded. -
Headers related to CORS, such as
Access-Control-Allow-Origin
orAccess-Control-Allow-Headers
, are never forwarded.
Unsupported statement changes
The API security gateway does not support using statements to add, modify, or delete the following headers:
-
Hop-by-hop headers that the gateway always removes, such as
Connection
andKeep-Alive
-
Conditional request headers that the gateway always removes, such as
If-None-Match
andETag
-
Proxy-specific headers that the gateway always adds, such as
Via
andX-Forwarded-For
The gateway overrides any changes to these headers.