Header param with underscore in http requests not available at server side when requesting via postman

Question

Following is the curl export of the API call which is failing -

curl -X GET \
  'http://endpoint.in/dummy/path?mobile=777777777' \
  -H 'Content-Type: application/json' \
  -H 'auth_token: iubsaicbsaicbasiucbsa'

The header param auth_token is not available at all in the server side, as checked from logs.

The same curl however works when directly issued as a command. I have the latest postman version v6.2.3 installed. Also, the same API end point works when requested via other tools like Advanced REST client of chrome.

Previously, I had also checked read this thread http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers

Many servers, like nginx, have a config which if set, discards headers with underscore in name.

However, I could not verify the same because I could not find out exactly how is the server deployed in this. It is a node application and we run this command to run the application -

nohup /bin/forever start -o logs/out.log -e logs/err.log app.js

ps -ef | grep node shows the following -

root      5981     1  0 Jul19 ?        00:00:00 /root/.nvm/v7.2.1/bin/node /usr/lib/node_modules/forever/bin/monitor app.js
root      5991  5981  0 Jul19 ?        00:00:04 /root/.nvm/v7.2.1/bin/node /usr/local/another/path/to/app.js

Update

This is interfering in our automated testing as well, via Jmeter.

Update

We have nginx running on the server and it seems to be calling node process. We observed that on the server where this is working fine, the nginx config file has this setting -

underscores_in_headers on;

But this is not present in the config file of the server where it is not working.

Another observation - I am using latest postman version - 6.2.5, where the issue is there. However, when I sent the same postman collection to another teammate and he hit it after installing postman, it worked for him. I am still not sure whether the issue is with postman or the server setup.

Answer 1

Underscores are not explicitly forbidden in headers, but in the past for CGI underscores were converted to dashes. Because of this legacy NGINX and Apache HTTPD treat underscores in headers as potentially problematic.

https://stackoverflow.com/a/22856867/2955337

You can explicitly set underscores_in_headers on;, but the default is off, so by default NGINX does not accept underscores

http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers

curl apparently converts underscores to dashes to circumvent this issue.

https://github.com/requests/requests/issues/1292#issuecomment-15997612