Skip to content

Warn when sensitive credentials are forwarded to upstream API #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DaleSeo wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Warn when sensitive credentials are forwarded to upstream API #632

DaleSeo wants to merge 3 commits into from
+42 −1

Conversation

@DaleSeo
Copy link
Member

@DaleSeo DaleSeo commented Feb 9, 2026
edited
Loading

When users configure forward_headers with sensitive credential headers like Authorization, Cookie, Proxy-Authorization, or X-Api-Key, the server now logs a warning at runtime when those headers are actually forwarded to the upstream GraphQL API. This helps operators catch unintentional credential exposure without blocking the request.

Per MCP security best practices, forwarding credentials can introduce audience confusion and privilege escalation risks.

Testing

  1. Create a config file with a sensitive header in forward_headers:
endpoint: https://thespacedevs-production.up.railway.app/

forward_headers:
  - authorization
  - x-tenant-id

operations:
  source: local
  paths:
    - graphql/TheSpaceDevs/operations

schema:
  source: local
  path: graphql/TheSpaceDevs/api.graphql

introspection:
  execute:
    enabled: true

transport:
  type: streamable_http
  stateful_mode: false
  1. Start the server and send a request that includes the Authorization header.
curl -X POST http://localhost:8000/mcp \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "Authorization: Bearer test-token" \
  -H "X-Tenant-Id: tenant-123" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"GetAstronautsCurrentlyInSpace","arguments":{}}}'
  1. Confirm the server logs a warning like:
2026-02-10T15:16:21.994684Z  WARN mcp_server{method=POST uri=/mcp status_code=200 OK}:call_tool{apollo.mcp.tool_name="GetAstronautsCurrentlyInSpace" apollo.mcp.request_id=2}: Forwarding sensitive header to upstream GraphQL API header=authorization
  1. Confirm that x-tenant-id does not produce a warning.

@DaleSeo DaleSeo self-assigned this Feb 9, 2026
@apollo-librarian
Copy link

apollo-librarian bot commented Feb 9, 2026
edited
Loading

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 2 changed, 0 removed 
* (developer-tools)/apollo-mcp-server/(latest)/auth.mdx
* (developer-tools)/apollo-mcp-server/(latest)/config-file.mdx

Build ID: 6fd70c556b3081b49e797c30
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/6fd70c556b3081b49e797c30

@DaleSeo DaleSeo marked this pull request as ready for review February 10, 2026 15:23
@DaleSeo DaleSeo requested review from a team as code owners February 10, 2026 15:23
@github-actions
Copy link

github-actions bot commented Feb 10, 2026

Changeset file added - thank you!

claude[bot]
claude bot reviewed Feb 10, 2026
View reviewed changes
crates/apollo-mcp-server/src/headers.rs
}
outgoing.insert(header_name, value.clone());
}
}
Copy link

@claude claude bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Consider] The sensitive header check is case-sensitive, but HTTP header names are case-insensitive per RFC 7230. While this works correctly because reqwest normalizes header names to lowercase internally, consider using header_name.as_str().to_lowercase() to make the case-insensitivity explicit (similar to the hop-by-hop header check at line 48). This improves clarity about the behavior.

Reference: Chapter 1 (clear code beats comments)

claude[bot]
claude bot reviewed Feb 10, 2026
View reviewed changes
crates/apollo-mcp-server/src/headers.rs

let mut incoming = HeaderMap::new();
incoming.insert("authorization", HeaderValue::from_static("Bearer token"));
incoming.insert("cookie", HeaderValue::from_static("session=abc"));
Copy link

@claude claude bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Consider] For consistency with Chapter 5.1 recommendations, consider organizing this test within a mod forward_headers block alongside the other forward_headers tests (lines 244-315). This would make the test output read as forward_headers::warns_on_sensitive_headers and group related tests together.

Reference: Chapter 5.1 - Use modules for organization

@claude
Copy link

claude bot commented Feb 10, 2026

Review Summary

This PR adds runtime warnings when sensitive credential headers (authorization, cookie, proxy-authorization, x-api-key) are forwarded to the upstream GraphQL API, helping operators identify potential security risks per MCP security best practices.

The implementation is clean, focused, and well-tested. The warning is emitted only when the sensitive header is actually present in an incoming request, which is the right approach to avoid noise.

Findings

  • Case sensitivity consideration: The sensitive header matching is case-sensitive. While this works correctly due to reqwest's header normalization, making it explicitly case-insensitive would improve clarity and robustness.
  • Test organization: The new test could be grouped with other forward_headers tests in a module for better organization.

Test Coverage Assessment

✅ Excellent test coverage:

  • Sensitive header warning is tested with multiple header types
  • Verification that non-sensitive headers don't trigger warnings
  • Integration with existing header forwarding tests

Final Recommendation

Approve with suggestions - The implementation is solid and ready to merge. The suggestions above are minor improvements for clarity and organization, not blocking issues.

Reviewed by Claude Code Sonnet 4.5

pragl
pragl approved these changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@pragl pragl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs changes LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@pragl pragl pragl approved these changes

Assignees

@DaleSeo DaleSeo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DaleSeo @pragl