From 7edfed201bfbfb477f8cf3a936878fce8a55b25c Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 28 May 2025 16:48:57 -0600
Subject: chore: do not forward sensitive headers to Sparkle

---
 etc/envoy/envoy.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml
index b483fe9..eb4901a 100644
--- a/etc/envoy/envoy.yaml
+++ b/etc/envoy/envoy.yaml
@@ -185,7 +185,7 @@ static_resources:
                               header_name: x-jwt-claim-profile-url
                             - claim_name: picture
                               header_name: x-jwt-claim-picture-url
-                          forward: true
+                          forward: false
                           forward_payload_header: x-jwt-payload
                           from_cookies:
                             - id_token
@@ -219,6 +219,10 @@ static_resources:
                       "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
                       suppress_envoy_headers: true
                 route_config:
+                  request_headers_to_remove:
+                    - authorization
+                    - cookie
+                    - user-agent
                   virtual_hosts:
                     - name: local
                       domains: ["*"]
-- 
cgit v1.2.3