Response header rules

In this article, the response header configuration is explained. For request header configuration, see Request header rules.

General tips for working with CRs

• CLI:
• Use kubectl explain <replace with CRD name> --recursive to list all available options and the YAML structure.
• Check the CRD description texts with kubectl explain <replace with CRD name and path> of the available options for more details.

• API Reference documentation:
• Click on the link to open the CR-related documentation in a new browser tab or window: CRD Reference documentation. See also the API Reference documentation links at the end article.

By default, all response headers are being forwarded with the allHeaders: {} option. To allow the predefined standard headers, set built-in standardHeaders: true and configure additional custom rules if required. In this case, all other request headers will be removed and not forwarded in the response.

Example:

...
  response: 
    allow: 
      matchingHeaders: 
        builtIn: 
          standardHeaders: true
        custom: 
          - name: "Allow custom application headers" 
            headers: 
              - name: 
                  matcher: 
                    exact: "X-APP-VERSION"
...  

• The default option allHeaders: {} forwards all headers (unfiltered).
• The list of built-in headers can be allowed by the standardHeaders option.
• Note that with the standardHeaders: false setting, only custom allow headers and headers from the add section will be forwarded.

See also the API Reference documentation link at the end of this article.

Different built-in header remove lists can be configured in the builtIn section i.e. to improve client security and to reduce possible information leakage. To remove additional headers from responses, the headers must be listed in the custom section.

...
  response: 
    remove: 
      builtIn: 
        permissiveCors: true 
        informationLeakage: 
          application: true 
          server: true 
      custom: 
      - name: Remove unwanted response headers
         headers: 
        - name: 
            matcher: 
              exact: X-APP-FRAMEWORK
...  

In our example, we enabled the built-in permissiveCors and informationLeakage options. We also added a custom rule which removes the header X-APP-FRAMEWORK header from the response.

See also the API Reference documentation link at the end of this article.

Headers can be added to a response from a set of predefined built-in headers or as custom rules.

...
  response: 
    add: 
      builtIn: 
        csp: true 
        featurePolicy: true 
        hsts: true 
        hstsPreload: false 
        referrerPolicy: true 
        xContentTypeOptions: true 
        xFrameOptions: true 
      custom: 
        - name: Add application version as header 
          headers: 
            - name: X-APP-VERSION 
              value: "3.7.4" 
          mode: OverwriteOrAdd 
...  

To add response headers in the builtIn section, set the corresponding headers to true as in our example. We also added two custom rules for response headers with header name and value.

With mode: OverwriteOrAdd as in our example, these headers will be overwritten if they are already in the downstream response.

See also the API Reference documentation link at the end of this article.

• API Reference:
• CR Header Rewrites reference documentation

• Internal links:
• Request header rules