From 25167050dd78b6ed26c7da294ee0a2e6e6639ec6 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 15 Jul 2025 13:54:33 -0600
Subject: chore: only strip authorization and cookie headers for authzd

---
 etc/envoy/envoy.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml
index bfe2ce16..3d22819e 100644
--- a/etc/envoy/envoy.yaml
+++ b/etc/envoy/envoy.yaml
@@ -137,9 +137,6 @@ static_resources:
                       suppress_envoy_headers: true
                 route_config:
                   name: local_route
-                  request_headers_to_remove:
-                    - authorization
-                    - cookie
                   response_headers_to_add:
                     - header:
                         key: "x-content-type-options"
@@ -160,6 +157,9 @@ static_resources:
                           route:
                             cluster: authzd
                             timeout: 30s
+                          request_headers_to_remove:
+                            - authorization
+                            - cookie
                         # Default route - everything else goes to SpiceDB
                         - match:
                             prefix: "/"
-- 
cgit v1.2.3