config: add PassIdentityHeaders option (#903)

Currently, user's identity headers are always inserted to downstream request. For privacy reason, it would be better to not insert these headers by default, and let user chose whether to include these headers per=policy basis. Fixes #702
2025-06-02 19:04:14 +02:00 · 2020-06-22 10:29:44 +07:00 · 2020-06-22 10:29:44 +07:00 · 8d0deb0732
commit 8d0deb0732
parent 4a3fb5d44b
9 changed files with 115 additions and 14 deletions
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -6,6 +6,11 @@

 - config: add remove_request_headers @cuonglm [GH-702]
 - config: change default log level to INFO  @cuonglm [GH-902]
+- config: add pass_identity_headers @cuonglm [GH-903]
+
+### Changes
+
+- proxy: do not set X-Pomerium-Jwt-Assertion/X-Pomerium-Claim-* headers by default [GH-903]

 ## v0.9.1

--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -5,6 +5,15 @@ description: >-
  for Pomerium. Please read it carefully.
 ---

+# Since 0.10.0
+
+## Breaking
+
+### Identity headers
+
+With this release, pomerium will not insert identity headers (X-Pomerium-Jwt-Asserttion/X-Pomerium-Claim-*) by default. To get pre 0.9.0 behavior, you
+can set `pass_identity_headers` to true on a per-policy basis.
+
 # Since 0.9.0

 ## Breaking
@ -29,6 +38,7 @@ In `0.9.0`:

 option httpchk GET /ping HTTP/1.1\r\nHost:pomerium
 ```
+>>>>>>> c29807c3915b2e61d1a53dd007a8871b6494c3c6

 # Since 0.8.0