3

I've an AWS API gateway in front of a REST API service. I would like to remove one/some HTTP headers when I forward the request to the origin.

I know how to do this using a lambda but I'm just wondering is there is something built in.

Hpatoio
  • 1,785
  • 1
  • 15
  • 22

2 Answers2

0

The easiest thing to do something similar is to force a given header to be an empty string.

To do this you can go in "Integration Request" panel (the second block of an API Gateway request/response flow):

enter image description here

In Headers block you should find all the headers defined (if you've defined it when creating the API resource) with the related mapping. If you wish you can edit the mapping replacing the method.request.header.headerThatYouWantToRemove string with just '' (note the two single quotes) for the header that you want to unset.

If the header that you wish to unset is not present, you can be add it using "Add header" link.

At this point the backend endpoint should ignore empty headers and you are done.

Instead, if you wish to completely delete the header you have to play with mapping template and Velocity mapping template, but this can be risky and error-prone.

BAD_SEED
  • 4,840
  • 11
  • 53
  • 110
  • Note that we recently found this isn't a perfect solution for blanking or overwritting a header. If a client sends a "malformed" header, utilizing different casing (say ,for instance, `Origin` vs `oRiGin`) will result in two headers going to the backend service. Now the http spec says you should read headers in a case insensitive way, so you'll basically send 2 headers to your backend (or in your case where you thought you were removing a header, actually letting one through). – djcrabhat Oct 01 '21 at 20:39
  • 1
    Yes, you're right. An option could be validate headers with a regular expression. So that requests with `oRiGin` header will be trashed. – BAD_SEED Oct 02 '21 at 09:16
0

Using VTL you can do this.

#if($paramName == "Authorization") 
      "$paramName" : "" 
    #else
      "$paramName" : "$util.escapeJavaScript($params.get($paramName))"
#end
buddemat
  • 4,552
  • 14
  • 29
  • 49
Vinay Singh
  • 9
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 17 '21 at 10:38