Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What's the difference between zuul.ignoredHeaders and zuul.sensitiveHeaders

Tags:

spring-boot

netflix-zuul

spring-cloud-netflix

I read the docs but still I'm not sure about the difference between these two properties:

zuul:
  ignored-headers: 
  sensitive-headers:

If you can explain it with another words it would be appreciated.

like image 263
Fabricio Avatar asked Oct 24 '18 12:10

Fabricio

People also ask

What is the difference between Zuul and spring cloud gateway?

Zuul is built on servlet 2.5 (works with 3. x), using blocking APIs. It doesn't support any long lived connections, like websockets. Gateway is built on Spring Framework 5, Project Reactor and Spring Boot 2 using non-blocking APIs.

What is difference between Zuul and Eureka?

Eureka belongs to "Open Source Service Discovery" category of the tech stack, while Zuul can be primarily classified under "Microservices Tools". Eureka is an open source tool with 8.16K GitHub stars and 2.27K GitHub forks.

In what order are Zuul filters executed?

There are four types of standard filters in Zuul: pre for pre-routing filtering, route for routing to an origin, post for post-routing filters, and error for error handling.

1 Answers

Sensitive headers refer to the headers that are too sensitive to be passed on to the downstream applications. By default, Zuul considers Cookie,Set-Cookie,Authorization to be sensitive and doesn't pass those around. You can add/remove headers to this as per the security requirements.

  • Usage: The principal idea is to prevent data leakage.
  • Possible Application: When Zuul connects to an external downstream application, sensitive headers such as Authorization token should not be sent to external services.

Ignored headers are the headers that are totally ignored once traffic reaches Zuul. In other words, Zuul ignores such headers when sending traffic to downstream and ignores such headers from the response of the downstream services too.

  • Usage: The principal idea is to remove specific headers.
  • Possible Application: Zuul can function as an anonymizer between 2 parties and totally ignore headers that might give away data about a system.

References:

  1. https://github.com/spring-cloud/spring-cloud-netflix/blob/master/docs/src/main/asciidoc/spring-cloud-netflix.adoc
  2. http://cloud.spring.io/spring-cloud-static/Finchley.M9/single/spring-cloud.html#_ignored_headers
like image 130
n7rider Avatar answered Sep 27 '22 17:09

n7rider
Sign in to Comment

Related questions

Eureka client in docker not connecting with Eureka server
How to secure websocket application [Spring boot + STOMP]
Spring boot cannot resolve view page
mock a CrudRepository findById ("111").get ()
Field authenticationManager in *** required a bean of type 'org.springframework.security.authentication.AuthenticationManager' that could not be found
Is @Autowired annotation mandatory on constructor in Spring boot
Spring changing the properties file in runtime
How to use Log4J2 composite configuration with Spring Boot
Spring Boot controller returns 404 for all api endpoints
Spring boot index not loading
Could not resolve dependencies for spring-web-reactive
Unable to open debugger port for Spring boot debug with intelliJIdea
How to call one microservice from another microservice using docker images
Retrieve path variable on Spring Boot WebFlux (functional approach)
Does Spring Boot 2 support Java 10?
Spring Boot 2.0 pagination with oracle is not working
Failed to lazily initialize a collection of role with SpringBoot
Docker (Spring Boot or Thorntail) and Keycloak
Cannot find the cache named xxx for the builder in spring boot application
Authentication using cookies in spring boot

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!