What's the difference between zuul.ignoredHeaders and zuul.sensitiveHeaders

Question

I read the docs but still I'm not sure about the difference between these two properties:

zuul:
  ignored-headers: 
  sensitive-headers:

If you can explain it with another words it would be appreciated.

Answer 1

Sensitive headers refer to the headers that are too sensitive to be passed on to the downstream applications. By default, Zuul considers Cookie,Set-Cookie,Authorization to be sensitive and doesn't pass those around. You can add/remove headers to this as per the security requirements.

• Usage: The principal idea is to prevent data leakage.
• Possible Application: When Zuul connects to an external downstream application, sensitive headers such as Authorization token should not be sent to external services.

Ignored headers are the headers that are totally ignored once traffic reaches Zuul. In other words, Zuul ignores such headers when sending traffic to downstream and ignores such headers from the response of the downstream services too.

• Usage: The principal idea is to remove specific headers.
• Possible Application: Zuul can function as an anonymizer between 2 parties and totally ignore headers that might give away data about a system.

References:

1. https://github.com/spring-cloud/spring-cloud-netflix/blob/master/docs/src/main/asciidoc/spring-cloud-netflix.adoc
2. http://cloud.spring.io/spring-cloud-static/Finchley.M9/single/spring-cloud.html#_ignored_headers