Le 30/03/2026 à 5:27 PM, Nenad Merdanovic a écrit :
Hello Christopher,
Would that be optional or are you saying it should always work like
that? The reason I'm asking is that doing it that way kind of defeats
the purpose of the feature which is that SPOA needs to be able to set
arbitrary headers. If we make it always work that way, you would still
need to strip the prefix for headers that you want SPOA to rewrite or
insert that you want the origin to understand correctly (think
Host/Authorization/various signature headers, etc.)
In my mind it is the SPOA is responsible for managing what kind of
headers it allows to be inserted/changed. If what you're saying is
having an option to add the prefix to each header, I can build that
in.
Well, it can be optional of course. The idea is to let the user decides if he
100% trusts the SPOA (or more generally the producer of these headers) or not.
It is the same than for the "var-prefix" SPOE option and "register-var-names" /
"force-set-var" SPOE directives.
I would say that ideally it could also be nice to exclude some header names. But
it could be a bit hard to configure and probably overkill. So a filter on a
prefix is a good alternative I guess.
My first idea was to only insert headers with a name matching a prefix. Forcing
this way the SPOA to use this prefix. But it could also be a prefix to add to
each header names. It may be easier.
Regards,
--
Christopher Faulet
