[Feature]: Scrub Request and Response Headers

[simonkurtz-MSFT]

Describe the feature

Remove sensitive headers. Request headers containing auth credentials sent to API Management before sending requests on to backends or 3rd parties. For example, API Management subscription keys and Authorization headers should be scrubbed.

On the outbound side, response headers revealing backend information such as the ASP-Net version or web server should be removed as to not reveal internal implementations.

When removing headers, particularly inbound ones, it's important to ensure policies that rely on them being present (e.g. validate-jwt) run prior to header removal. As such, removal cannot occur in the global or product scope but most occur at the API or API operation scope.

Improvement to Project

By removing sensitive headers, we can reduce accidental credential and information leaks. This increases our security posture positively.

Are you able to collaborate and/or submit a pull request?

Yes

[simonkurtz-MSFT]

The difficulty with scrubbing request headers is creating a comprehensive one-size-fits-all solution. Some headers may always be scrubbed, but some may need to remain as their values may have changed. For example, backends often require an Authentication header which is also typically used for JWT validation within APIM. Scrubbing such would lead to breaking APIs. And having a scrub policy then makes users overly confident and dependent on it scrubbing everything whereas important headers may be missed.

While well intentioned, it's best to abandon this issue, I believe.