Skip to content

feat(header_filter): strip upstream auth headers from wrapper responses (issue #42)#44

Merged
levleontiev merged 2 commits intomainfrom
feature/issue-42-response-auth-sanitization-main
Mar 16, 2026
Merged

feat(header_filter): strip upstream auth headers from wrapper responses (issue #42)#44
levleontiev merged 2 commits intomainfrom
feature/issue-42-response-auth-sanitization-main

Conversation

@levleontiev
Copy link
Contributor

@levleontiev levleontiev commented Mar 16, 2026

Summary

  • src/fairvisor/wrapper.lua: adds strip_response_auth_headers() — removes Authorization, x-api-key, x-goog-api-key (both lowercase and capitalized variants) from upstream response headers before they reach the client
  • src/nginx/header_filter.lua: at the top, checks ngx.ctx.wrapper_provider; if set, calls strip_response_auth_headers() and returns early — does not affect the existing reverse_proxy path
  • spec/unit/features/wrapper.feature + spec/unit/wrapper_spec.lua: BDD scenario verifying all 3 auth headers are nil and Content-Type is preserved after stripping

Closes #42

Test plan

  • 35 BDD unit scenarios pass (busted spec/unit/wrapper_spec.lua)
  • Full suite: 582 unit + 65 integration successes
  • e2e: 44 passed
  • CI checks

🤖 Implemented by codex, PR opened by Claude Code

codex and others added 2 commits March 16, 2026 15:20
@codex
fix(wrapper): strip upstream auth response headers
112621f
@codex @claude
merge: resolve wrapper.feature conflict — keep hybrid + response sani…
ef43d89 
…tization rules

Both Rule sections (hybrid mode routing decision from #43 and
Response auth header sanitization from #42) are preserved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@levleontiev levleontiev merged commit fd486c2 into main Mar 16, 2026
8 checks passed
@levleontiev levleontiev deleted the feature/issue-42-response-auth-sanitization-main branch March 16, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(wrapper): strip upstream auth headers from responses in wrapper mode

2 participants

@levleontiev @codex