HTTP header sanitizing

For security reasons, Envoy will “sanitize” various incoming HTTP headers depending on whether the request is an internal or external request. The sanitizing action depends on the header and may result in addition, removal, or modification. Ultimately, whether the request is considered internal or external is governed by the x-forwarded-for header (please read the linked section carefully as how Envoy populates the header is complex and depends on the use_remote_address setting). In addition, the internal_address_config setting can be used to configure the internal/external determination.

Envoy will potentially sanitize the following headers:

• x-envoy-decorator-operation

• x-envoy-downstream-service-cluster

• x-envoy-downstream-service-node

• x-envoy-expected-rq-timeout-ms

• x-envoy-external-address

• x-envoy-force-trace

• x-envoy-internal

• x-envoy-ip-tags

• x-envoy-max-retries

• x-envoy-retry-grpc-on

• x-envoy-retry-on

• x-envoy-upstream-alt-stat-name

• x-envoy-upstream-rq-per-try-timeout-ms

• x-envoy-upstream-rq-timeout-alt-response

• x-envoy-upstream-rq-timeout-ms

• x-forwarded-client-cert

• x-forwarded-for

• x-forwarded-proto

• x-request-id

• referer