Header Removal Policy

Policy name

Header Removal

Summary

Removes headers from a request or a response

Category

Transformation

First Flex Gateway version available

v1.0.0

Returned Status Codes

500 - The configuration includes an expression that was not evaluated.

Summary

The Header Removal policy removes all listed headers from a request or a response of a message when you specify an inbound and outbound map of the headers that you want to remove with a key-value pair.

You can optionally include DataWeave expressions in the value of the header. For example, all headers matching the following configured expression are injected to the message:

“#[attributes.requestPath]”

The following headers may not be removed: accept, host, content-type, content-length, date, transfer-encoding, connection,

Configuring Policy Parameters

Flex Gateway Local Mode

In Local Mode, you apply the Header Removal policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:

- policyRef:
    name: header-removal-flex
  config:
    inboundHeaders: <array> // OPTIONAL, default: []
    outboundHeaders: <array> // OPTIONAL, default: []

Parameter Required or Optional Default Value Description

inboundHeaders

Optional

Empty array

Map of header names or regular expressions to be removed at the beginning of the message processing, for example, Cache-Control, Access-Control.*

outboundHeaders

Optional

Empty array

Map of header names or regular expressions to be removed at the end of the message processing, for example, Access-Control-Allow-Credentials

inboundHeaders and outboundHeaders can not both be empty.

Resource Configuration Example

- policyRef:
    name: header-removal-flex
    config:
      inboundHeaders:
        - "Cache-Control"
        - "Access-Control.*"
      outboundHeaders:
        - "Access-Control-Allow-Credentials"

Flex Gateway Connected Mode and Mule Gateway

When you apply the Header Removal policy to your API from the UI, you can configure the following parameters:

Parameter Description

Parameter	Description
Inbound Header Map	List of header names or regular expressions (comma separated) to be removed at the beginning of the message processing, for example, `Cache-Control, Access-Control.*`
Outbound Header Map	List of header names or regular expressions (comma separated) to be removed at the end of the message processing, for example, `Access-Control-Allow-Credentials`
Method & Resource conditions	The option to add configurations to only a select few or all methods and resources of the API

Inbound Header Map

List of header names or regular expressions (comma separated) to be removed at the beginning of the message processing, for example, Cache-Control, Access-Control.*

Outbound Header Map

List of header names or regular expressions (comma separated) to be removed at the end of the message processing, for example, Access-Control-Allow-Credentials

Method & Resource conditions

The option to add configurations to only a select few or all methods and resources of the API

How This Policy Works

Because every header that matches a Header Removal policy parameter is removed from the message, you must be careful about how you configure that parameter.

For example, the following parameter configuration removes any header starting with the word Access-Control, such as the Access-Control-Allow-Credentials and Access-Control-Allow-Origin headers from a message. The configuration also removes the Cache-Control header:

Figure 1. Inbound Header