In its capacity as a reverse proxy, the API security gateway must modify HTTP requests and responses in addition to the changes required by policy processing.
Forwarded HTTP request headers
- End-to-end headers
- Headers requiring transmission to all recipients on the chain, such as
Content-Type
. - Hop-by-hop headers
- Headers that are only relevant to the next recipient on the chain, such
as
Connection
andKeep-Alive
.
- Headers related to HTTP resource versioning and conditional requests, such
as
If-None-Match
andIf-Modified-Since
, are never forwarded. - Headers related to CORS, such as
Origin
orAccess-Control-Request-Method
, are never forwarded. - Headers that you exclude by using the
allowed-headers
configuration property of an API External Server to define an allow list of forwarded headers. - Headers that you remove by using a custom statement extension.
The API security gateway always adds the Host
,
Accept-Encoding
, Via
,
X-Forwarded-For
, X-Forwarded-Host
,
X-Forwarded-Port
, and X-Forwarded-Proto
headers to forwarded requests. If the HTTP Connection Handler is configured to use
or generate correlation IDs, then a correlation ID header is also added to the
forwarded request.
You can use the http-auth-evaluation-behavior
property of a Gateway
API Endpoint to alter the Authorization
header of a forwarded
request.
Forwarded HTTP response headers
The API security gateway forwards most HTTP response headers, with the following exceptions:
- The
Date
header is replaced with a value generated by the API security gateway. - The
Content-Length
header is replaced with a value generated by the API security gateway. - The
Location
header is replaced with a value generated by the API security gateway. - If the HTTP Connection Handler is configured to use or generate correlation IDs, then a correlation ID header is added to the response.
- Headers related to HTTP resource versioning and conditional requests, such as
ETag
andLast-Modified
, are never forwarded. - Headers related to CORS, such as
Access-Control-Allow-Origin
orAccess-Control-Allow-Headers
, are never forwarded.
Unsupported HTTP request header
The API security gateway does not support the Upgrade
header.
Unsupported statement changes
- Hop-by-hop headers that the gateway always removes, such as
Connection
andKeep-Alive
- Conditional request headers that the gateway always removes, such as
If-None-Match
andETag
- Proxy-specific headers that the gateway always adds, such as
Via
andX-Forwarded-For