Can I remove x-middleware-rewrite http header from the response headers when using NextResponse.rewrite?

[Shelco]

Summary

Hi,

We´re using NextResponse.rewrite in our middleware for passing certain requests to an internal api. The api in question has safety measurements set up, and is only reachable by whitelisted networks, but we would still prefer it if the actual internal url was not displayed to external users. However, when performing such a rewrite, the http header "x-middleware-rewrite" is set on the response and contains the internal url. Is there any way to remove this header from the response?

Best regards,
Dan

Additional information

No response

Example

No response

[liamlows]

Would love some input on this issue as well, we use rewrites to not expose our internal apis to the internet and this feature just leaks the internal URI for those APIs which is not great.

[TryV]

Never understand the mind behind this ideas. why everything is locked and limited in Next.js! you can't remove headers. you can't access the request object in page components. what back-end framework is this!

[jayantbh]

I've been unable to find a related issue (open or closed) for this as well. Will need help.

[davidhu2000]

Took a look in the source code, i "think" the header is added here

next.js/packages/next/src/server/web/spec-extension/response.ts

Lines 135 to 144 in 6bebacb

	static rewrite(
	destination: string | NextURL | URL,
	init?: MiddlewareResponseInit
	) {
	const headers = new Headers(init?.headers)
	headers.set('x-middleware-rewrite', validateURL(destination))
	handleMiddlewareField(init, headers)
	return new NextResponse(null, { ...init, headers })
	}

doesn't look like there is a way in NextJS to disable.

The one solution I found, if you set that exact header where the request is rewrote to, the nextJS header is overwritten.

the client appears to get whatever value you set.

For example.

response.headers["X-Middleware-Rewrite"] = "--"

[TryV]

It didn't work for me.

[dpmango]

+1 for the option to hide X-Middleware-Rewrite which ruins all anonymization purposes of using api proxy

When manually overwriting header, it becomes always pending connection

middleware(req: NextRequest) {
    const response = NextResponse.rewrite(url)
    response.headers.set('X-Middleware-Rewrite', '')
    return response
}

[JamieS1211]

Just ran into this issue, have any of you found any work-arounds?

[TryV]

No, you can reverse proxy your app behind the Nginx and remove header using nginx rules.

example:

  location / {
    ...
    proxy_hide_header X-Middleware-Rewrite;
    ...
  }

I didn't tried myself though.

[JamieS1211]

I settled on just returning the result of a fetch. Seems to work fine but dunno if this will have any unintended consequences down the line