Skip to main content

Set Request Headers

Summary

Set Request Headers allows you to set both static and dynamic values for given request headers. Static values can be useful if you want to pass along additional information to upstream applications as headers, or to set a fixed authentication header on the request.

The dynamic values enable you to pass ID and Access tokens from your identity provider to upstream applications.

To pass dynamic values from the user's OIDC claim to an upstream service, see JWT Claim Headers.

caution

Neither HTTP/2 pseudo-headers (for example, :authority) nor the Host: header may be modified via this mechanism. Those headers may instead be modified via prefix_rewrite, regex_rewrite, and host_rewrite.

How to configure

YAML/JSON settingTypeUsage
set_request_headersmap of key-value pairsoptional

Pass dynamic tokens in headers

TokenValue
$pomerium.id_tokenOIDC ID token from the identity provider
$pomerium.access_tokenOAuth access token from the identity provider

Note: Token values must use the $pomerium.<token> syntax.

danger

Be very careful when passing access tokens to an upstream application. This may allow the application to make other authenticated requests on behalf of the user.

Examples

Pass static header values in the request:

- from: https://verify.corp.example.com
  to: https://verify.pomerium.com
  policy:
    - allow:
        or:
          - email:
              is: user@example.com
  set_request_headers:
    # Set a fixed Basic Auth username and password (root:hunter42)
    Authorization: Basic cm9vdDpodW50ZXI0Mg==
    # Set a custom header
    X-Your-favorite-authenticating-Proxy: 'Pomerium'

Pass ID and Access tokens as dynamic headers in the request:

- from: https://verify.corp.example.com
  to: https://verify.pomerium.com
  policy:
    - allow:
        or:
          - email:
              is: user@example.com
  set_request_headers:
    x-pomerium-idp-id-token: $pomerium.id_token
    x-pomerium-idp-access-token: $pomerium.access_token