PingAuthorize

API security gateway HTTP 1.1 support

In its capacity as a reverse proxy, the API security gateway must modify HTTP requests and responses in addition to the changes required by policy processing.

Forwarded HTTP request headers

HTTP requests often pass through a chain of intermediaries before reaching a destination server. The HTTP 1.1 specifications define two categories of headers that are pertinent to this context.

End-to-end headers

Headers requiring transmission to all recipients on the chain, such as Content-Type.

Hop-by-hop headers

Headers that are only relevant to the next recipient on the chain, such as Connection and Keep-Alive.

The API security gateway never forwards hop-by-hop headers. It generally forwards all end-to-end headers, with the following exceptions:

  • Headers related to HTTP resource versioning and conditional requests, such as If-None-Match and If-Modified-Since, are never forwarded.

  • Headers related to CORS, such as Origin or Access-Control-Request-Method, are never forwarded.

  • Headers that you exclude by using the allowed-headers configuration property of an API External Server to define an allow list of forwarded headers.

  • Headers that you remove by using a custom statement extension.

The API security gateway always adds the Host, Accept-Encoding, Via, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port, and X-Forwarded-Proto headers to forwarded requests. If the HTTP Connection Handler is configured to use or generate correlation IDs, then a correlation ID header is also added to the forwarded request.

You can use the http-auth-evaluation-behavior property of a Gateway API Endpoint to alter the Authorization header of a forwarded request.

Forwarded HTTP response headers

The API security gateway forwards most HTTP response headers, with the following exceptions:

  • The Date header is replaced with a value generated by the API security gateway.

  • The Content-Length header is replaced with a value generated by the API security gateway.

  • The Location header is replaced with a value generated by the API security gateway.

  • If the HTTP Connection Handler is configured to use or generate correlation IDs, then a correlation ID header is added to the response.

  • Headers related to HTTP resource versioning and conditional requests, such as ETag and Last-Modified, are never forwarded.

  • Headers related to CORS, such as Access-Control-Allow-Origin or Access-Control-Allow-Headers, are never forwarded.

Unsupported HTTP request header

The API security gateway does not support the Upgrade header.

Unsupported statement changes

The API security gateway does not support using statements to add, modify, or delete the following headers:

  • Hop-by-hop headers that the gateway always removes, such as Connection and Keep-Alive

  • Conditional request headers that the gateway always removes, such as If-None-Match and ETag

  • Proxy-specific headers that the gateway always adds, such as Via and X-Forwarded-For

The gateway overrides any changes to these headers.