---
title: CryptoHeaderFilter (deprecated)
description: This object is deprecated and is not considered secure. For more information, refer to the Deprecated section of the Release Notes.
component: pinggateway
version: 2023.11
page_id: pinggateway:reference:CryptoHeaderFilter
canonical_url: https://docs.pingidentity.com/pinggateway/2023.11/reference/CryptoHeaderFilter.html
revdate: 2025-06-03T11:21:31Z
section_ids:
  CryptoHeaderFilter-usage: Usage
  CryptoHeaderFilter-properties: Properties
  CryptoHeaderFilter-example: Example
  CryptoHeaderFilter-moreinfo: More information
---

# CryptoHeaderFilter (deprecated)

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | This object is deprecated and is not considered secure. For more information, refer to the [Deprecated](https://docs.pingidentity.com/pinggateway/release-notes/deprecated.html) section of the *Release Notes*.The CryptoHeaderFilter conveys encrypted data between hosts by using insecure ECB mode ciphers. Consider using a [JwtBuilderFilter](JwtBuilderFilter.html) with a [HeaderFilter](HeaderFilter.html) for a more secure way to pass identity or other runtime information to the protected application. |

Encrypts or decrypts headers in a request or response, using a symmetric or asymmetric key. CryptoHeaderFilter supports key rotation.

## Usage

```json
{
  "name": string,
  "type": "CryptoHeaderFilter",
  "config": {
    "messageType": configuration expression<enumeration>,
    "operation": configuration expression<enumeration>,
    "keySecretId": configuration expression<secret-id>,
    "secretsProvider": SecretsProvider reference,
    "algorithm": configuration expression<string>,
    "charset": configuration expression<string>,
    "headers": [ configuration expression<string>, ... ]
  }
}
```

## Properties

* `"messageType"`: *configuration expression<[enumeration](preface.html#definition-enumeration)>, required*

  The type of message whose headers to encrypt or decrypt.

  Must be one of: `"REQUEST"`, `"RESPONSE"`.

* `"operation"`: *configuration expression<[enumeration](preface.html#definition-enumeration)>, required*

  Indication of whether to encrypt or decrypt.

  Must be one of: `"ENCRYPT"`, `"DECRYPT"`.

* `"keySecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required*

  The secret ID of the key to encrypt or decrypt the headers.

  This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types).

* `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required*

  The SecretsProvider object to query for the key to encrypt or decrypt the headers. For more information, refer to [SecretsProvider](secrets.html#SecretsProvider).

* `"algorithm"`: *configuration expression<[string](preface.html#definition-string)>, optional*

  The algorithm name, mode, and padding used for encryption and decryption.

  **CryptoHeaderFilter does not support EC-based encryption**. Use other cipher algorithm values given in [Java Security Standard Algorithm Names](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html).

  Default: `AES/ECB/PKCS5Padding`

* `"charset"`: *configuration expression<[string](preface.html#definition-string)>, optional*

  The name of the charset used to encrypt or decrypt values, as described in [Class Charset](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/charset/Charset.html).

  Default: `UTF-8`

* `"headers"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional*

  The names of header fields to encrypt or decrypt.

  Default: Empty

## Example

```json
{
  "name": "DecryptReplayPasswordFilter",
  "type": "CryptoHeaderFilter",
  "config": {
    "messageType": "REQUEST",
    "operation": "DECRYPT",
    "keySecretId": "decryption.secret.id",
    "secretsProvider": "KeyStoreSecretStore-1",
    "algorithm": "AES/ECB/PKCS5Padding",
    "headers": [ "replaypassword" ]
  }
}
```

## More information

[org.forgerock.openig.filter.CryptoHeaderFilter](../_attachments/apidocs/org/forgerock/openig/filter/CryptoHeaderFilter.html)