fix(core): support custom backend response headers

alukach · alukach · commit a5c5b9f794fd · 2026-03-19T21:59:15.000-07:00
diff --git a/crates/cf-workers/src/backend.rs b/crates/cf-workers/src/backend.rs
@@ -12,8 +12,8 @@ use multistore::backend::ForwardResponse;
 use multistore::backend::{build_signer, create_builder, ProxyBackend, RawResponse, StoreBuilder};
 use multistore::error::ProxyError;
 use multistore::route_handler::ForwardRequest;
-use multistore::route_handler::RESPONSE_HEADER_ALLOWLIST;
 use multistore::types::BucketConfig;
+
 use object_store::list::PaginatedListStore;
 use object_store::signer::Signer;
 use std::sync::Arc;
@@ -81,8 +81,7 @@ impl ProxyBackend for WorkerBackend {
         let backend_ws: web_sys::Response = worker_resp.into();
         let status = backend_ws.status();
 
-        // Build filtered response headers using the existing allowlist.
-        let headers = extract_response_headers(&backend_ws.headers());
+        let headers = convert_ws_headers(&backend_ws.headers());
         let content_length = headers
             .get(http::header::CONTENT_LENGTH)
             .and_then(|v| v.to_str().ok())
@@ -166,9 +165,8 @@ impl ProxyBackend for WorkerBackend {
             .await
             .map_err(|e| ProxyError::Internal(format!("failed to read response: {}", e)))?;
 
-        // Convert response headers
         let ws_response: web_sys::Response = worker_resp.into();
-        let resp_headers = extract_response_headers(&ws_response.headers());
+        let resp_headers = convert_ws_headers(&ws_response.headers());
 
         Ok(RawResponse {
             status,
@@ -178,15 +176,25 @@ impl ProxyBackend for WorkerBackend {
     }
 }
 
-/// Extract response headers from a `web_sys::Headers` using an allowlist.
-pub fn extract_response_headers(ws_headers: &web_sys::Headers) -> HeaderMap {
-    let mut resp_headers = HeaderMap::new();
-    for name in RESPONSE_HEADER_ALLOWLIST {
-        if let Ok(Some(value)) = ws_headers.get(name) {
-            if let Ok(parsed) = value.parse() {
-                resp_headers.insert(*name, parsed);
+/// Convert `web_sys::Headers` into an `http::HeaderMap`.
+fn convert_ws_headers(ws_headers: &web_sys::Headers) -> HeaderMap {
+    let mut out = HeaderMap::new();
+    if let Ok(iter) = js_sys::try_iter(&ws_headers.entries()) {
+        if let Some(iter) = iter {
+            for entry in iter.flatten() {
+                let pair = js_sys::Array::from(&entry);
+                if let (Some(name), Some(value)) =
+                    (pair.get(0).as_string(), pair.get(1).as_string())
+                {
+                    if let (Ok(hn), Ok(hv)) = (
+                        name.parse::<http::header::HeaderName>(),
+                        value.parse::<http::header::HeaderValue>(),
+                    ) {
+                        out.insert(hn, hv);
+                    }
+                }
             }
         }
     }
-    resp_headers
+    out
 }
diff --git a/crates/core/src/proxy.rs b/crates/core/src/proxy.rs
@@ -77,7 +77,8 @@ const PRESIGNED_URL_TTL: Duration = Duration::from_secs(300);
 
 // Re-export types that were historically defined here for backwards compatibility.
 pub use crate::route_handler::{
-    ForwardRequest, HandlerAction, PendingRequest, ProxyResult, RESPONSE_HEADER_ALLOWLIST,
+    filter_response_headers, ForwardRequest, HandlerAction, PendingRequest, ProxyResult,
+    RESPONSE_HEADER_DENYLIST,
 };
 
 /// Simplified two-variant result from [`ProxyGateway::handle_request`].
@@ -236,7 +237,10 @@ where
             return match action {
                 HandlerAction::Response(r) => GatewayResponse::Response(r),
                 HandlerAction::Forward(fwd) => match self.backend.forward(fwd, body).await {
-                    Ok(resp) => GatewayResponse::Forward(resp),
+                    Ok(mut resp) => {
+                        resp.headers = filter_response_headers(&resp.headers);
+                        GatewayResponse::Forward(resp)
+                    }
                     Err(e) => GatewayResponse::Response(error_response(
                         &e,
                         req.path,
@@ -288,7 +292,8 @@ where
                 (GatewayResponse::Response(r), s, rb, false)
             }
             HandlerAction::Forward(fwd) => match self.backend.forward(fwd, body).await {
-                Ok(resp) => {
+                Ok(mut resp) => {
+                    resp.headers = filter_response_headers(&resp.headers);
                     let s = resp.status;
                     let cl = resp.content_length;
                     (GatewayResponse::Forward(resp), s, cl, true)
@@ -842,7 +847,7 @@ where
 
         Ok(ProxyResult {
             status: raw_resp.status,
-            headers: raw_resp.headers,
+            headers: filter_response_headers(&raw_resp.headers),
             body: ProxyResponseBody::from_bytes(raw_resp.body),
         })
     }
diff --git a/crates/core/src/route_handler.rs b/crates/core/src/route_handler.rs
@@ -110,22 +110,55 @@ pub struct PendingRequest {
     pub(crate) request_id: String,
 }
 
-/// Headers to forward from backend responses (used by runtimes for Forward responses).
-pub const RESPONSE_HEADER_ALLOWLIST: &[&str] = &[
-    "content-type",
-    "content-length",
-    "content-range",
-    "etag",
-    "last-modified",
-    "accept-ranges",
-    "content-encoding",
-    "content-disposition",
-    "cache-control",
-    "x-amz-request-id",
-    "x-amz-version-id",
-    "location",
+/// Response headers that must NOT be forwarded to clients.
+///
+/// Uses a denylist approach: all headers pass through except those that are
+/// genuinely dangerous to forward from a reverse proxy. This allows cloud
+/// provider metadata (x-amz-meta-*, x-ms-meta-*, x-goog-meta-*) and useful
+/// operational headers to flow through without explicit allowlisting.
+pub const RESPONSE_HEADER_DENYLIST: &[&str] = &[
+    // Hop-by-hop (RFC 7230 §6.1)
+    "transfer-encoding",
+    "connection",
+    "keep-alive",
+    "proxy-connection",
+    "te",
+    "trailer",
+    "upgrade",
+    // Auth/cookies
+    "proxy-authenticate",
+    "proxy-authorization",
+    "www-authenticate",
+    "set-cookie",
+    // Proxy routing
+    "forwarded",
+    "x-forwarded-for",
+    "x-forwarded-proto",
+    "x-forwarded-host",
+    "x-forwarded-port",
+    "via",
+    // Encryption key material (lets attackers validate guessed keys)
+    "x-amz-server-side-encryption-customer-key-md5",
+    "x-amz-server-side-encryption-aws-kms-key-id",
+    "x-ms-encryption-key-sha256",
+    "x-goog-encryption-key-sha256",
 ];
 
+/// Filter a `HeaderMap` by removing headers in the [`RESPONSE_HEADER_DENYLIST`].
+///
+/// Blocks hop-by-hop, auth/cookie, proxy routing, and encryption key material
+/// headers. Everything else (content metadata, cloud provider headers, user
+/// metadata) passes through.
+pub fn filter_response_headers(source: &http::HeaderMap) -> http::HeaderMap {
+    let mut out = http::HeaderMap::new();
+    for (name, value) in source.iter() {
+        if !RESPONSE_HEADER_DENYLIST.contains(&name.as_str()) {
+            out.insert(name.clone(), value.clone());
+        }
+    }
+    out
+}
+
 /// The future type returned by [`RouteHandler::handle`].
 #[cfg(not(target_arch = "wasm32"))]
 pub type RouteHandlerFuture<'a> = Pin<Box<dyn Future<Output = Option<ProxyResult>> + Send + 'a>>;
@@ -233,3 +266,101 @@ pub trait RouteHandler: MaybeSend + MaybeSync {
     /// to the next handler or the proxy dispatch pipeline.
     fn handle<'a>(&'a self, req: &'a RequestInfo<'a>) -> RouteHandlerFuture<'a>;
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_blocks_hop_by_hop_headers() {
+        let mut headers = http::HeaderMap::new();
+        headers.insert("transfer-encoding", "chunked".parse().unwrap());
+        headers.insert("connection", "keep-alive".parse().unwrap());
+        headers.insert("content-type", "text/plain".parse().unwrap());
+
+        let filtered = filter_response_headers(&headers);
+        assert!(filtered.get("transfer-encoding").is_none());
+        assert!(filtered.get("connection").is_none());
+        assert!(filtered.get("content-type").is_some());
+    }
+
+    #[test]
+    fn test_blocks_auth_and_cookie_headers() {
+        let mut headers = http::HeaderMap::new();
+        headers.insert("www-authenticate", "Basic".parse().unwrap());
+        headers.insert("set-cookie", "session=abc".parse().unwrap());
+        headers.insert("etag", "\"abc\"".parse().unwrap());
+
+        let filtered = filter_response_headers(&headers);
+        assert!(filtered.get("www-authenticate").is_none());
+        assert!(filtered.get("set-cookie").is_none());
+        assert!(filtered.get("etag").is_some());
+    }
+
+    #[test]
+    fn test_blocks_encryption_key_material() {
+        let mut headers = http::HeaderMap::new();
+        headers.insert(
+            "x-amz-server-side-encryption-aws-kms-key-id",
+            "arn:aws:kms:us-east-1:123456:key/abc".parse().unwrap(),
+        );
+        headers.insert(
+            "x-amz-server-side-encryption-customer-key-md5",
+            "abc123".parse().unwrap(),
+        );
+        headers.insert("x-amz-server-side-encryption", "aws:kms".parse().unwrap());
+
+        let filtered = filter_response_headers(&headers);
+        assert!(filtered
+            .get("x-amz-server-side-encryption-aws-kms-key-id")
+            .is_none());
+        assert!(filtered
+            .get("x-amz-server-side-encryption-customer-key-md5")
+            .is_none());
+        // Encryption method (not key material) should pass through
+        assert!(filtered.get("x-amz-server-side-encryption").is_some());
+    }
+
+    #[test]
+    fn test_passes_cloud_metadata_headers() {
+        let mut headers = http::HeaderMap::new();
+        headers.insert("x-amz-meta-author", "alice".parse().unwrap());
+        headers.insert("x-ms-meta-version", "2".parse().unwrap());
+        headers.insert("x-goog-meta-project", "test".parse().unwrap());
+        headers.insert("x-amz-storage-class", "STANDARD".parse().unwrap());
+        headers.insert("x-amz-version-id", "v1".parse().unwrap());
+
+        let filtered = filter_response_headers(&headers);
+        assert_eq!(filtered.len(), 5);
+    }
+
+    #[test]
+    fn test_passes_standard_content_headers() {
+        let mut headers = http::HeaderMap::new();
+        headers.insert("content-type", "application/json".parse().unwrap());
+        headers.insert("content-length", "1234".parse().unwrap());
+        headers.insert("content-range", "bytes 0-499/1000".parse().unwrap());
+        headers.insert("etag", "\"abc\"".parse().unwrap());
+        headers.insert(
+            "last-modified",
+            "Mon, 01 Jan 2024 00:00:00 GMT".parse().unwrap(),
+        );
+        headers.insert("accept-ranges", "bytes".parse().unwrap());
+        headers.insert("cache-control", "max-age=3600".parse().unwrap());
+        headers.insert("location", "/new".parse().unwrap());
+
+        let filtered = filter_response_headers(&headers);
+        assert_eq!(filtered.len(), 8);
+    }
+
+    #[test]
+    fn test_blocks_proxy_routing_headers() {
+        let mut headers = http::HeaderMap::new();
+        headers.insert("x-forwarded-for", "1.2.3.4".parse().unwrap());
+        headers.insert("via", "1.1 proxy".parse().unwrap());
+        headers.insert("forwarded", "for=1.2.3.4".parse().unwrap());
+
+        let filtered = filter_response_headers(&headers);
+        assert!(filtered.is_empty());
+    }
+}
diff --git a/docs/architecture/request-lifecycle.md b/docs/architecture/request-lifecycle.md
@@ -156,10 +156,13 @@ For lower-level control, `ProxyGateway::handle` returns the raw three-variant `H
 > [!WARNING]
 > Multipart uploads are only supported for `backend_type = "s3"`. Non-S3 backends should use single PUT requests (object_store handles chunking internally).
 
-## Response Header Forwarding
+## Response Header Filtering
 
-The proxy forwards only specific headers from the backend response to the client:
+The proxy uses a denylist to strip dangerous headers from backend responses before forwarding to clients. All headers pass through except:
 
-`content-type`, `content-length`, `content-range`, `etag`, `last-modified`, `accept-ranges`, `content-encoding`, `content-disposition`, `cache-control`, `x-amz-request-id`, `x-amz-version-id`, `location`
+- **Hop-by-hop** (RFC 7230 §6.1): `transfer-encoding`, `connection`, `keep-alive`, `te`, `trailer`, `upgrade`, `proxy-connection`
+- **Auth/cookies**: `proxy-authenticate`, `proxy-authorization`, `www-authenticate`, `set-cookie`
+- **Proxy routing**: `forwarded`, `x-forwarded-for`, `x-forwarded-proto`, `x-forwarded-host`, `x-forwarded-port`, `via`
+- **Encryption key material**: `x-amz-server-side-encryption-customer-key-md5`, `x-amz-server-side-encryption-aws-kms-key-id`, `x-ms-encryption-key-sha256`, `x-goog-encryption-key-sha256`
 
-All other backend headers are filtered out.
+This means content headers, cloud provider metadata (e.g. `x-amz-storage-class`), and user metadata from any provider (`x-amz-meta-*`, `x-ms-meta-*`, `x-goog-meta-*`) all flow through to clients automatically.
diff --git a/examples/lambda/src/client.rs b/examples/lambda/src/client.rs
@@ -6,7 +6,7 @@ use lambda_http::Body;
 use multistore::backend::ForwardResponse;
 use multistore::backend::{build_signer, create_builder, ProxyBackend, RawResponse};
 use multistore::error::ProxyError;
-use multistore::route_handler::{ForwardRequest, RESPONSE_HEADER_ALLOWLIST};
+use multistore::route_handler::ForwardRequest;
 use multistore::types::BucketConfig;
 use multistore_oidc_provider::{HttpExchange, OidcProviderError};
 use object_store::list::PaginatedListStore;
@@ -82,13 +82,7 @@ impl ProxyBackend for LambdaBackend {
 
         let status = backend_resp.status().as_u16();
 
-        // Forward allowlisted response headers
-        let mut headers = http::HeaderMap::new();
-        for name in RESPONSE_HEADER_ALLOWLIST {
-            if let Some(v) = backend_resp.headers().get(*name) {
-                headers.insert(*name, v.clone());
-            }
-        }
+        let headers = backend_resp.headers().clone();
 
         let content_length = backend_resp.content_length();
 
diff --git a/examples/server/src/client.rs b/examples/server/src/client.rs
@@ -7,7 +7,7 @@ use http_body_util::BodyStream;
 use multistore::backend::ForwardResponse;
 use multistore::backend::{build_signer, create_builder, ProxyBackend, RawResponse};
 use multistore::error::ProxyError;
-use multistore::route_handler::{ForwardRequest, RESPONSE_HEADER_ALLOWLIST};
+use multistore::route_handler::ForwardRequest;
 use multistore::types::BucketConfig;
 use multistore_oidc_provider::{HttpExchange, OidcProviderError};
 use object_store::list::PaginatedListStore;
@@ -80,13 +80,7 @@ impl ProxyBackend for ServerBackend {
 
         let status = backend_resp.status().as_u16();
 
-        // Forward allowlisted response headers
-        let mut headers = HeaderMap::new();
-        for name in RESPONSE_HEADER_ALLOWLIST {
-            if let Some(v) = backend_resp.headers().get(*name) {
-                headers.insert(*name, v.clone());
-            }
-        }
+        let headers = backend_resp.headers().clone();
 
         let content_length = backend_resp.content_length();
 
