HeaderRewrites

microgateway.airlock.com/v1alpha1

HeaderRewrites defines a policy for restricting, injecting and mutating request and response headers.

apiVersion: microgateway.airlock.com/v1alpha1
kind: HeaderRewrites
metadata:
  name: header-rewrites-example
spec:
  request:
    allow:
      matchingHeaders:
        # To reduce the attack surface, drop all request headers except:
        # - those in the built-in standard headers list (Accept, Cookie, etc.)
        # - those in the built-in tracing headers list (Traceparent, B3, X-B3-*, etc.)
        # - X-CSRF-TOKEN
        builtIn:
          standardHeaders: true
          tracingHeaders: true
        custom:
          - name: Allow X-CSRF-Token header
            headers:
              - name:
                  matcher:
                    exact: X-CSRF-TOKEN
    remove:
      # Remove the "X-Forwarded-Host" header and those in the built-in
      # alternative forwarded headers list from the request.
      builtIn:
        alternativeForwardedHeaders: true
      custom:
        - name: Remove X-Forwarded-Host
          headers:
            - name:
                matcher:
                  exact: X-Forwarded-Host
    add:
      # Inject a custom header into the request if the request condition matches.
      custom:
        - name: Add headers with downstream TLS connection information to member requests
          headers:
            - name: X-TLS-DOWNSTREAM-PEER-CERT
              value: "%DOWNSTREAM_PEER_CERT%"
          mode: OverwriteOrAdd
          requestConditions:
            path:
              matcher:
                regex: ^/member/
  response:
    allow:
      # Allow all response headers.
      allHeaders: {}
    remove:
      # Remove the headers in the built-in auth basic list from the response.
      builtIn:
        auth:
          basic: true
    add:
      # Inject a custom header into the response.
      custom:
        - name: Add application version as header
          headers:
            - name: X-APP-VERSION
              value: "3.7.4"
          mode: OverwriteOrAdd

apiVersion: microgateway.airlock.com/v1alpha1
kind: HeaderRewrites
metadata:
  name: default
spec: 
  settings: 
    operationalMode: Production
  request: 
    allow: 
      matchingHeaders: 
        builtIn: 
          standardHeaders: true
          tracingHeaders: false
    remove: 
      builtIn: 
        alternativeForwardedHeaders: true
    add: {}
  response: 
    allow: 
      allHeaders: {}
    remove: 
      builtIn: 
        informationLeakage: 
          server: true
          application: true
        auth: 
          basic: false
          ntlm: true
          negotiate: true
        permissiveCors: true
    add: 
      builtIn: 
        xFrameOptions: true
        hsts: true
        hstsPreload: false
        csp: false
        xContentTypeOptions: true
        referrerPolicy: true
        featurePolicy: false
        permissionsPolicy: true

HeaderRewrites

Field	Description	Type	Required	Default	Allowed Values
metadata	defines the resource’s metadata	ObjectMeta	yes
spec	defines the desired header rewriting configuration.	object	no

HeaderRewrites.spec

Field	Description	Type	Required
request	defines manipulations on upstream request headers.	object	no
response	defines manipulations on upstream response headers.	object	no
settings	configures the HeaderRewrites filter.	object	no

HeaderRewrites.spec.request

Field	Description	Type	Required	Default	Allowed Values
add	defines which request headers will be added before forwarding to the upstream.	object	no
allow	defines which request headers will be forwarded to the upstream. This can either be allHeaders or matchingHeaders. Default: matchingHeaders: {…}	object	no	`matchingHeaders{...}`	`allHeaders{}`, `matchingHeaders{}`
remove	defines which request headers will be removed before forwarding to the upstream.	object	no

HeaderRewrites.spec.request.add

Field	Description	Type	Required	Default	Allowed Values
custom	allows configuring additional upstream request headers. Add selected headers.	object[]	no

HeaderRewrites.spec.request.add.custom[]

Field	Description	Type	Required	Default	Allowed Values
headers	to add.	object[]	yes
mode	defines the header addition strategy.	enum	no	`AddIfAbsent`	`AddIfAbsent`, `OverwriteOrAdd`
name	describing the configured operation.	string	yes
requestConditions	defines additional request properties which must all be matched in order for this operation to be applied.	object	no

HeaderRewrites.spec.request.add.custom[].headers[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of the header.	string	yes
value	defines the value of the header. Note: This field supports dynamic values via Envoy command operators, e.g., `value: "%STREAM_ID%"`. Percentage signs not part of command operators must be escaped using `%%`.	string	yes

HeaderRewrites.spec.request.add.custom[].requestConditions

Field	Description	Type	Required	Default	Allowed Values
header	defines the matching headers of a request.	object	no
invert	indicates whether the request condition should be inverted.	bool	no	`false`	`true`, `false`
mediaType	defines the matching media type from the content-type header of a request.	object	no
method	defines the matching methods of a request.	enum[]	no		`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
path	defines the matching path of a request.	object	no
remoteIP	defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.	object	no

HeaderRewrites.spec.request.add.custom[].requestConditions.header

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.request.add.custom[].requestConditions.header.name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.add.custom[].requestConditions.header.name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.add.custom[].requestConditions.header.value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.add.custom[].requestConditions.header.value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.add.custom[].requestConditions.mediaType

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.add.custom[].requestConditions.mediaType.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.add.custom[].requestConditions.path

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.add.custom[].requestConditions.path.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.add.custom[].requestConditions.remoteIP

Field	Description	Type	Required	Default	Allowed Values
cidrRanges	defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	string[]	yes
invert	indicates whether the match should be inverted.	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.request.allow

Field	Description	Type	Required	Default	Allowed Values
allHeaders	specifies that all request headers should be forwarded.	object	no		`{}`
matchingHeaders	specifies which request headers should be forwarded.	object	no

HeaderRewrites.spec.request.allow.matchingHeaders

Field	Description	Type	Required	Default	Allowed Values
builtIn	allows configuring a set of predefined upstream request headers.	object	no
custom	allows configuring additional upstream request headers.	object[]	no

HeaderRewrites.spec.request.allow.matchingHeaders.builtIn

Field	Description	Type	Required	Default	Allowed Values
standardHeaders	defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. Allows headers: `Accept` `Accept-Charset` `Accept-Language` `Access-Control-Request-Headers` `Access-Control-Request-Method` `Authorization` `Cache-Control` `Content-Length` `Content-Type` `Connection` (if value matches: `Upgrade`) `Cookie` `DNT` `Grpc-Accept-Encoding` `Grpc-Encoding` `Grpc-Message-Type` `Grpc-Timeout` `Host` `If-Match` `If-Modified-Since` `If-None-Match` `If-Range` `If-Unmodified-Since` `Last-Event-ID` `Origin` `Pragma` `Range` `Referer` `Sec-Metadata` `Sec-WebSocket-Extensions` `Sec-WebSocket-Key` `Sec-WebSocket-Protocol` `Sec-WebSocket-Version` `SOAPAction` `Te` (if value matches: `trailers`) `UA-CPU` `Upgrade` (if value matches: `websocket`) `Upgrade-Insecure-Requests` `User-Agent` `Via` `X-Correlation-ID` `X-Do-Not-Track` `X-Requested-With` `X-Request-ID` `X-Same-Domain` `X-WAP-Profile` `X-WAP-Profile-Diff`	bool	no	`true`	`true`, `false`
tracingHeaders	defines whether to allow common tracing headers to be forwarded to the upstream. Allows headers: `Traceparent` `Tracestate` `B3` `X-B3-Traceid` `X-B3-Spanid` `X-B3-Parentspanid` `X-B3-Sampled` `X-B3-Flags`	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.request.allow.matchingHeaders.custom[]

Field	Description	Type	Required
headers	to allow.	object[]	yes
name	describing the configured operation. Must be unique.	string	yes
requestConditions	defines additional request properties which must be all matched in order for this operation to be applied.	object	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].headers[].value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions

Field	Description	Type	Required	Default	Allowed Values
header	defines the matching headers of a request.	object	no
invert	indicates whether the request condition should be inverted.	bool	no	`false`	`true`, `false`
mediaType	defines the matching media type from the content-type header of a request.	object	no
method	defines the matching methods of a request.	enum[]	no		`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
path	defines the matching path of a request.	object	no
remoteIP	defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.	object	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.header

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.header.name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.header.name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.header.value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.header.value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.mediaType

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.mediaType.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.path

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.path.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.allow.matchingHeaders.custom[].requestConditions.remoteIP

Field	Description	Type	Required	Default	Allowed Values
cidrRanges	defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	string[]	yes
invert	indicates whether the match should be inverted.	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.request.remove

Field	Description	Type	Required	Default	Allowed Values
builtIn	allows configuring a set of predefined upstream request headers.	object	no
custom	allows configuring additional upstream request headers.	object[]	no

HeaderRewrites.spec.request.remove.builtIn

Field	Description	Type	Required	Default	Allowed Values
alternativeForwardedHeaders	removes downstream request headers which could potentially be abused to alter the upstream’s view of the remote connection. Removes headers: `Front-End-Https`	bool	no	`true`	`true`, `false`

HeaderRewrites.spec.request.remove.custom[]

Field	Description	Type	Required
headers	to remove.	object[]	yes
name	describing the configured operation. Must be unique.	string	yes
requestConditions	defines additional request properties which must all be matched in order for this operation to be applied.	object	no

HeaderRewrites.spec.request.remove.custom[].headers[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.request.remove.custom[].headers[].name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.remove.custom[].headers[].name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.remove.custom[].headers[].value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.remove.custom[].headers[].value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.remove.custom[].requestConditions

Field	Description	Type	Required	Default	Allowed Values
header	defines the matching headers of a request.	object	no
invert	indicates whether the request condition should be inverted.	bool	no	`false`	`true`, `false`
mediaType	defines the matching media type from the content-type header of a request.	object	no
method	defines the matching methods of a request.	enum[]	no		`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
path	defines the matching path of a request.	object	no
remoteIP	defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.	object	no

HeaderRewrites.spec.request.remove.custom[].requestConditions.header

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.request.remove.custom[].requestConditions.header.name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.remove.custom[].requestConditions.header.name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.remove.custom[].requestConditions.header.value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.remove.custom[].requestConditions.header.value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.remove.custom[].requestConditions.mediaType

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.remove.custom[].requestConditions.mediaType.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.remove.custom[].requestConditions.path

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.request.remove.custom[].requestConditions.path.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.request.remove.custom[].requestConditions.remoteIP

Field	Description	Type	Required	Default	Allowed Values
cidrRanges	defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	string[]	yes
invert	indicates whether the match should be inverted.	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.response

Field	Description	Type	Required	Default	Allowed Values
add	defines which response headers will be added before forwarding to the downstream.	object	no
allow	defines which response headers will be forwarded to the downstream. This can either be allHeaders or matchingHeaders. Default: allHeaders: {}	object	no	`allHeaders{...}`	`allHeaders{}`, `matchingHeaders{}`
remove	defines which response headers will be removed before forwarding to the downstream.	object	no

HeaderRewrites.spec.response.add

Field	Description	Type	Required	Default	Allowed Values
builtIn	allows configuring a set of predefined upstream response headers.	object	no
custom	allows configuring additional upstream response headers.	object[]	no

HeaderRewrites.spec.response.add.builtIn

Field	Description	Type	Required	Default	Allowed Values
csp	sets a content security policy which allows only same-origin requests except for images if the ‘Content-Security-Policy’ header is not set by the upstream. Adds missing headers: `Content-Security-Policy: default-src 'self'; img-src `*	bool	no	`false`	`true`, `false`
featurePolicy	sets a feature policy which prevents cross-origin use of several browser features if the ‘Feature-Policy’ header is not set by the upstream. Deprecated: Use permissionsPolicy instead. Adds missing headers: `Feature-Policy: accelerometer 'self'; ambient-light-sensor 'self'; autoplay 'self'; camera 'self'; display-capture 'self'; document-domain 'self'; encrypted-media 'self'; fullscreen 'self'; geolocation 'self'; gyroscope 'self'; magnetometer 'self'; microphone 'self'; midi 'self'; payment 'self'; usb 'self'; xr-spatial-tracking 'self'`	bool	no	`false`	`true`, `false`
hsts	enforces the use of HTTPS if the ‘Strict-Transport-Security’ header is not already set by the upstream. Adds missing headers: `Strict-Transport-Security: max-age=31536000`	bool	no	`true`	`true`, `false`
hstsPreload	enforces the use of HTTPS including for subdomains and enables HSTS preload. Sets headers: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`	bool	no	`false`	`true`, `false`
permissionsPolicy	sets a permissions policy which prevents cross-origin use of several browser features if the ‘Permissions-Policy’ header is not set by the upstream. Adds missing headers: `Permissions-Policy: accelerometer=(self), ambient-light-sensor=(self), autoplay=(self), camera=(self), display-capture=(self), document-domain=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), usb=(self), xr-spatial-tracking=(self)`	bool	no	`true`	`true`, `false`
referrerPolicy	ensures that no ‘Referer’ header is sent for cross-origin requests if the ‘Referrer-Policy’ header is not set by the upstream. Adds missing headers: `Referrer-Policy: same-origin`	bool	no	`true`	`true`, `false`
xContentTypeOptions	sets ‘X-Content-Type-Options’ to ’nosniff’ if it is not set by the upstream. Adds missing headers: `X-Content-Type-Options: nosniff`	bool	no	`true`	`true`, `false`
xFrameOptions	sets ‘X-Frame-Options’ to SAMEORIGIN if it is not set by the upstream. Adds missing headers: `X-Frame-Options: SAMEORIGIN`	bool	no	`true`	`true`, `false`

HeaderRewrites.spec.response.add.custom[]

Field	Description	Type	Required	Default	Allowed Values
headers	to add.	object[]	yes
mode	defines the header addition strategy.	enum	no	`AddIfAbsent`	`AddIfAbsent`, `OverwriteOrAdd`
name	describing the configured operation.	string	yes
requestConditions	defines additional request properties which must all be matched in order for this operation to be applied.	object	no

HeaderRewrites.spec.response.add.custom[].headers[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of the header.	string	yes
value	defines the value of the header. Note: This field supports dynamic values via Envoy command operators, e.g., `value: "%STREAM_ID%"`. Percentage signs not part of command operators must be escaped using `%%`.	string	yes

HeaderRewrites.spec.response.add.custom[].requestConditions

Field	Description	Type	Required	Default	Allowed Values
header	defines the matching headers of a request.	object	no
invert	indicates whether the request condition should be inverted.	bool	no	`false`	`true`, `false`
mediaType	defines the matching media type from the content-type header of a request.	object	no
method	defines the matching methods of a request.	enum[]	no		`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
path	defines the matching path of a request.	object	no
remoteIP	defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.	object	no

HeaderRewrites.spec.response.add.custom[].requestConditions.header

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.response.add.custom[].requestConditions.header.name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.add.custom[].requestConditions.header.name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.add.custom[].requestConditions.header.value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.add.custom[].requestConditions.header.value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.add.custom[].requestConditions.mediaType

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.add.custom[].requestConditions.mediaType.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.add.custom[].requestConditions.path

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.add.custom[].requestConditions.path.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.add.custom[].requestConditions.remoteIP

Field	Description	Type	Required	Default	Allowed Values
cidrRanges	defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	string[]	yes
invert	indicates whether the match should be inverted.	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.response.allow

Field	Description	Type	Required	Default	Allowed Values
allHeaders	specifies that all response headers should be forwarded.	object	no		`{}`
matchingHeaders	specifies which response headers should be forwarded.	object	no

HeaderRewrites.spec.response.allow.matchingHeaders

Field	Description	Type	Required	Default	Allowed Values
builtIn	allows configuring a set of predefined upstream response header.	object	no
custom	allows configuring additional upstream response headers.	object[]	no

HeaderRewrites.spec.response.allow.matchingHeaders.builtIn

Field	Description	Type	Required	Default	Allowed Values
standardHeaders	defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. Allows headers: `Accept-Ranges` `Access-Control-Allow-Credentials` `Access-Control-Allow-Headers` `Access-Control-Allow-Methods` `Access-Control-Allow-Origin` `Access-Control-Expose-Headers` `Access-Control-Max-Age` `Allow` `Cache-Control` `Content-Disposition` `Content-Encoding` `Content-Language` `Content-Length` `Content-Location` `Content-MD5` `Content-Range` `Content-Security-Policy` `Content-Type` `Date` `Etag` `Expires` `Feature-Policy` `Frame-Options` `Grpc-Accept-Encoding` `Grpc-Encoding` `Grpc-Message` `Grpc-Status` `Last-Modified` `Location` `Permissions-Policy` `Pragma` `Referrer-Policy` `Refresh` `Retry-After` `Sec-WebSocket-Accept` `Sec-WebSocket-Extensions` `Sec-WebSocket-Protocol` `Sec-WebSocket-Version` `Strict-Transport-Security` `Trailer` `Transfer-Encoding` `Vary` `WWW-Authenticate` `Warning` `X-Content-Security-Policy` `X-Content-Type-Options` `X-Frame-Options` `X-Permitted-Cross-Domain-Policies` `X-UA-Compatible` `X-WAP-Profile-Warning` `X-WebKit-CSP`	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.response.allow.matchingHeaders.custom[]

Field	Description	Type	Required
headers	to allow.	object[]	yes
name	describing the configured operation. Must be unique.	string	yes
requestConditions	defines additional request properties which must all be matched in order for this operation to be applied.	object	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].headers[].value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions

Field	Description	Type	Required	Default	Allowed Values
header	defines the matching headers of a request.	object	no
invert	indicates whether the request condition should be inverted.	bool	no	`false`	`true`, `false`
mediaType	defines the matching media type from the content-type header of a request.	object	no
method	defines the matching methods of a request.	enum[]	no		`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
path	defines the matching path of a request.	object	no
remoteIP	defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.	object	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.header

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.header.name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.header.name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.header.value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.header.value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.mediaType

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.mediaType.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.path

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.path.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.allow.matchingHeaders.custom[].requestConditions.remoteIP

Field	Description	Type	Required	Default	Allowed Values
cidrRanges	defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	string[]	yes
invert	indicates whether the match should be inverted.	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.response.remove

Field	Description	Type	Required	Default	Allowed Values
builtIn	allows configuring a set of predefined upstream response headers.	object	no
custom	allows configuring additional upstream response headers.	object[]	no

HeaderRewrites.spec.response.remove.builtIn

Field	Description	Type	Required	Default	Allowed Values
auth	defines the categories of headers concerning authentication.	object	no
informationLeakage	defines the categories of headers concerning information leakage.	object	no
permissiveCors	removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. Removes headers: `Access-Control-Allow-Origin` (if value matches: `(?i:^[[:blank:]]\[[:blank:]]$)`)*	bool	no	`true`	`true`, `false`

HeaderRewrites.spec.response.remove.builtIn.auth

Field	Description	Type	Required	Default	Allowed Values
basic	removes upstream response headers that advise clients to authenticate with Basic Authentication. Removes headers: `WWW-Authenticate` (if value matches: `(?i:^Basic.)`)*	bool	no	`false`	`true`, `false`
negotiate	removes upstream response headers that advise clients to authenticate with Negotiate. Removes headers: `WWW-Authenticate` (if value matches: `(?i:^Negotiate.)`)*	bool	no	`true`	`true`, `false`
ntlm	removes upstream response headers that advise clients to authenticate with NTLM. By default, these headers are removed, because NTLM pass-through is not supported. Removes headers: `WWW-Authenticate` (if value matches: `(?i:^NTLM.)`)*	bool	no	`true`	`true`, `false`

HeaderRewrites.spec.response.remove.builtIn.informationLeakage

Field	Description	Type	Required	Default	Allowed Values
application	removes upstream response headers that leak information about the deployed software. Removes headers: `X-AspNet-Version` `X-AspNetMvc-Version` `X-Generator` `X-Powered-By`	bool	no	`true`	`true`, `false`
server	removes upstream response headers that leak information about the server. Removes headers: `Age` `Link` `P3P` `Proxy-Authenticate` `Server` `Via`	bool	no	`true`	`true`, `false`

HeaderRewrites.spec.response.remove.custom[]

Field	Description	Type	Required
headers	to remove.	object[]	yes
name	describing the configured remove operation. Must be unique.	string	yes
requestConditions	defines additional request properties which must all be matched in order for this operation to be applied.	object	no

HeaderRewrites.spec.response.remove.custom[].headers[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.response.remove.custom[].headers[].name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.remove.custom[].headers[].name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.remove.custom[].headers[].value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.remove.custom[].headers[].value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.remove.custom[].requestConditions

Field	Description	Type	Required	Default	Allowed Values
header	defines the matching headers of a request.	object	no
invert	indicates whether the request condition should be inverted.	bool	no	`false`	`true`, `false`
mediaType	defines the matching media type from the content-type header of a request.	object	no
method	defines the matching methods of a request.	enum[]	no		`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
path	defines the matching path of a request.	object	no
remoteIP	defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the `remoteIP` configuration in the `SidecarGateway` / `GatewayParameters` resource to ensure correct client IP detection.	object	no

HeaderRewrites.spec.response.remove.custom[].requestConditions.header

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

HeaderRewrites.spec.response.remove.custom[].requestConditions.header.name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.remove.custom[].requestConditions.header.name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.remove.custom[].requestConditions.header.value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.remove.custom[].requestConditions.header.value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.remove.custom[].requestConditions.mediaType

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.remove.custom[].requestConditions.mediaType.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.remove.custom[].requestConditions.path

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

HeaderRewrites.spec.response.remove.custom[].requestConditions.path.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

HeaderRewrites.spec.response.remove.custom[].requestConditions.remoteIP

Field	Description	Type	Required	Default	Allowed Values
cidrRanges	defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	string[]	yes
invert	indicates whether the match should be inverted.	bool	no	`false`	`true`, `false`

HeaderRewrites.spec.settings

Field	Description	Type	Required	Default	Allowed Values
operationalMode	defines the behavior of the filter. In integration mode more information is logged about the requests and responses.	enum	no	`Production`	`Integration`, `Production`