๐Ÿ’ฎ HTTP headers obfuscation

Obfuscate sensitive HTTP headers using a private key known only to the user.

HTTP headers obfuscation is done using dedicated configurations, via environment variables or via code. HTTP headers are not affected by the standard obfuscation configurations.

HTTP headers can be obfuscated using an allowlist or a blocklist.

Both lists consist of HTTP header keys (or names). The HTTP header keys in the lists are case insensitive.

None or only one of the lists can be configured.

  • When an HTTP headers allowlist is configured, the values of all the HTTP headers whose keys are NOT in the list are obfuscated.
  • When an HTTP headers blocklist is configured, the values of all the HTTP headers whose keys are in the list are obfuscated.
  • When neither list is configured, no HTTP headers obfuscation is done.

HTTP headers obfuscation is done with the same HMAC key used in the standard obfuscation.

Both the HTTP request and response headers are affected.

Enabling HTTP headers obfuscation via environment variables

Configure the following environment variables, where your service is running:

HS_DATA_OBFUSCATION_HMAC_KEY=12345
...
HS_DATA_OBFUSCATION_HTTP_HEADERS_ALLOWLIST=[\"secret\",\"token\"]
HS_DATA_OBFUSCATION_HTTP_HEADERS_BLOCKLIST=[\"secret\",\"token\"]

Enabling HTTP headers obfuscation via code

initialize({
    ...,
    dataObfuscation: {
        hmacKey: '12345',
        ...,
        httpHeadersAllowlist: ['secret', 'token'],
        httpHeadersBlocklist: [...]
    }
});
initialize(
    ...,
    data_obfuscation_hmac_key='12345',
    ...,
    data_obfuscation_http_headers_allowlist=['secret', 'token'],
    data_obfuscation_http_headers_blocklist=[...]
)

Examples

Consider the following list and HTTP headers:
List = ['secret', 'token']
HTTP headers = { "Content-Encoding": "gzip", "Host": "localhost", "Secret": 42, "TOKEN": "my.token" }

If the list is configured as an allowlist, the obfuscated HTTP headers will look like this:

{ "Content-Encoding": "aa8f3ab6", "Host": "7e89a719", "Secret": 42, "TOKEN": "my.token" }

If the list is configured as a blocklist, the obfuscated HTTP headers will look like this:

{ "Content-Encoding": "gzip", "Host": "localhost", "Secret": "44343c77", "TOKEN": "1e7f2f7f" }