docs: add docs for dynamic header forwarding

DaleSeo · DaleSeo · commit cda1213988ac · 2025-10-08T17:39:24.000-04:00
diff --git a/docs/source/best-practices.mdx b/docs/source/best-practices.mdx
@@ -47,3 +47,9 @@ To maintain clear trust boundaries, MCP servers must only accept tokens explicit
 Forwarding client tokens downstream is not allowed.
 
 Apollo MCP Server supports OAuth 2.1 authentication that follows best practices and aligns with the MCP authorization model. See our [authorization guide](/apollo-mcp-server/auth) for implementation details.
+
+## Avoid forwarding credentials with header forwarding
+
+The [forward_headers](/apollo-mcp-server/config-file#forward-headers) setting is designed for forwarding **non-sensitive metadata** like A/B testing, feature flagging, geo information from CDNs, or internal instrumentation.
+
+**We strongly recommend against using header forwarding for passing through credentials** such as API keys or access tokens. Forwarding credentials can introduce confused deputy vulnerabilities where your GraphQL API may incorrectly trust headers as though they were validated by the MCP Server.
diff --git a/docs/source/config-file.mdx b/docs/source/config-file.mdx
@@ -20,6 +20,7 @@ All fields are optional.
 | `cors`           | `Cors`                |                          | CORS configuration                                               |
 | `custom_scalars` | `FilePath`            |                          | Path to a [custom scalar map](/apollo-mcp-server/custom-scalars) |
 | `endpoint`       | `URL`                 | `http://localhost:4000/` | The target GraphQL endpoint                                      |
+| `forward_headers`| `List<string>`        | `[]`                     | Headers to forward from MCP clients to GraphQL API               |
 | `graphos`        | `GraphOS`             |                          | Apollo-specific credential overrides                             |
 | `headers`        | `Map<string, string>` | `{}`                     | List of hard-coded headers to include in all GraphQL requests    |
 | `health_check`   | `HealthCheck`         |                          | Health check configuration                                       |
@@ -43,6 +44,19 @@ These fields are under the top-level `graphos` key and define your GraphOS graph
 | `apollo_registry_url`     | `URL`    |         | The URL to use for Apollo's registry                                                                            |
 | `apollo_uplink_endpoints` | `URL`    |         | List of uplink URL overrides. You can also provide this with the `APOLLO_UPLINK_ENDPOINTS` environment variable |
 
+### Forward Headers
+
+The `forward_headers` option allows you to forward specific headers from incoming MCP client requests to your GraphQL API. 
+
+This is useful for:
+- Multi-tenant applications (forwarding tenant IDs)
+- A/B testing (forwarding experiment IDs)
+- Geo information (forwarding country Codes)
+- Client identification (forwarding AI client names)
+- Internal instrumentation (forwarding correlation IDs)
+
+Supports exact header names only. Hop-by-hop headers (like `connection`, `transfer-encoding`) are automatically blocked for security.
+
 ### CORS
 
 These fields are under the top-level `cors` key and configure Cross-Origin Resource Sharing (CORS) for browser-based MCP clients.
