Reputation: 2242
nginx - how to block custom headers
I have nginx running locally, alongside my local test SOAP server. I am using SoapUI to send soap requests to this server via nginx, eg SoapUI -> Nginx:80 -> SoapSever:9338.
My goal is to strip out non-standard headers, to tighten up security. I want to keep content-type, accept, etc, but I want to strip headers such as myHeader1, or abc=xyz.
As part of my testing, I am sending custom headers, and I can see them arriving at my server on the far side, so nginx isnt doing any filtering. I tried using ignore_invalid_headers on; in my /etc/nginx/nginx.conf file under http {}, but I think it means something different to what I think it means, as it doesnt strip any headers.
I can see from the docs that you can add headers, or change specific headers, but can I either strip out all non-standard/custom headers, or can I specify a list of headers that I only want to accept?
Thank you.
Upvotes: 0
Views: 6903
Answers (1)
Reputation: 17371
The ignore_invalid_headers directive only ignores headers which are wrongly formatted.
To clear certain headers you could have a look at the more_clear_headers directive.
See http://wiki.nginx.org/NginxHttpHeadersMoreModule#more_clear_headers for more details.
It's not part of the standard nginx distribution so you will have to install it manually.
Example
more_clear_headers 'X-*';
Will clear all headers starting with X-
Upvotes: 2
Related Questions
- Nginx block all traffic with specific custom header except to some urls
- how to expose custom header on nginx
- Nginx - Access Http custom headers v2
- Nginx: Reject request if header is not present or wrong
- How I can block some of the HTTP headers fields?
- Ignore or modify request headers in NGINX
- set not add header in nginx
- nginx - read custom header set on client
- Nginx proxy_pass block client header and force nginx to use custom header
- Does nginx strip custom request headers?