End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

Proxy Response Headers

Learn how to use NGINX Management Suite API Connectivity Manager to set response headers to send to your clients.

Overview

In API Connectivity Manager, you can apply global policies to API Gateways and Developer Portals to ensure your organization’s security requirements are enforced.

When you add policies at the environment level, they will apply to all proxies hosted within that environment.

See the Learn about Policies topic for an overview of the different policy types and available policies.

About the Policy

Customize the Proxy Response Headers policy to include or exclude headers in the proxy response. By default, the standard headers are included in the response. In addition, you can specify whether the header is always included regardless of the response code. You can also add custom headers and values to include in the response.

Intended Audience

This guide is meant for Infrastructure Administrators.

Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.


Workflow for Applying Policy

To apply the policy or make changes to it, here’s what you need to do:

  • Create an environment or edit an existing one.
  • Check the advanced settings for the environment to see if the policy has been applied.
  • Edit the policy to make changes for each environment. Save and publish the changes.

Policy Settings

The following table lists the configurable settings and their default values for the policy.

Standard Headers

Field Datatype Possible Values
Description
Required Default Always Include
web-security-headers boolean true/false When set to true, the default headers are passed in proxy response. For more information, refer to the Web Security Headers section. No true true
latency-headers boolean true/false When set to true, the default headers are passed in proxy response. For more information, refer to the Latency Headers section. No true false
cache-headers boolean true/false When set to true, the default headers are passed in proxy response. For more information, refer to the Cache Headers section. No true true
client-headers boolean true/false When set to true, X-Client-Original-IP header is passed in proxy response. For more information, refer to the Client Headers section. No true true
hide-nginx-headers boolean true/false When set to true, nginx version is not passed in Server header in proxy response. For more information, refer to the Hide NGINX Headers section. No false false
correlation-id boolean true/false When set to true, the correlation id header is passed in proxy response. For more information, refer to the Correlation ID Headers section. No true true

Web Security Headers

Header Example Directive
Description
Strict-Transport-Security Strict-Transport-Security: max-age=31536000; includeSubDomains add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” [always] HSTS response header informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
X-Frame-Options X-Frame-Options: SAMEORIGIN add_header X-Frame-Options SAMEORIGIN [always] The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in iframe. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
X-Content-Type-Options X-Content-Type-Options: nosniff add_header X-Content-Type-Options nosniff [always] The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.
X-Xss-Protection X-Xss-Protection: 1; mode=block add_header X-Xss-Protection “1; mode=block” [always] The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript (‘unsafe-inline’).

Latency Headers

Header Example Directive
Description
X-Backend-Latency X-Backend-Latency: 0.744 add_header X-Backend-Latency $upstream_header_time [always] Backend/Upstream response time
X-Total-Request-Response-Latency X-Total-Request-Response-Latency: 0.743 add_header X-Total-Request-Response-Latency $request_time [always] Request time
X-Backend-Connection-Time X-Backend-Connection-Time: 0.433 add_header X-Backend-Connection-Time $upstream_connect_time [always] Backend/Upstream connect time

Cache Headers

Header Example Directive
Description
Cache-Control Cache-Control: public, must-revalidate, proxy-revalidate add_header Cache-Control “public, must-revalidate, proxy-revalidate” [always] The Cache-Control HTTP header field holds directives (instructions) — in both requests and responses — that control caching in browsers and shared caches (e.g. Proxies, CDNs).

Client Headers

Header Example Directive
Description
X-Client-Original-IP X-Client-Original-IP: 172.10.10.10 add_header X-Client-Original-IP $realip_remote_addr [always] Client original IP.

Hide NGINX Headers

Header Example Directive
Description
Server Server: nginx server_tokens off NGINX version is not passed in Server header in proxy response. Server: nginx [nginx/1.23.2]

Correlation ID Headers

Header Example Directive
Description
<correlation-id-header-name> x-correlation-id: 26fd65ab0bbe36e546e3da14f4aea89f add_header <correlation-id-header-name> <correlation-id> [always] There must also be a request-correlation-id policy that will tell you the header name that gets used. The correlation id value is usually the $request_id but there is logic that that can be overridden by a specific value in the request header itself.

Custom Headers

Header Example Directive
Description
<custom-header-name> x-custom-header: 3da14f4aea89f add_header <custom-header-name> <custom-header-value> [always] Add a custom header.

Adding the Policy

See Also:
You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.

To create or update a Response Headers policy using the REST API, send an HTTP PUT request to the Environment endpoint.

Method Endpoint
PUT /infrastructure/workspaces/{workspace}/environments/{environment}
JSON request
{
    "policies": {
        "proxy-response-headers": [
            {
                "action": {
                    "config": [
                        {
                            "always": true,
                            "enabled": true,
                            "name": "web-security-headers"
                        },
                        {
                            "always": true,
                            "enabled": true,
                            "name": "correlation-id"
                        },
                        {
                            "always": false,
                            "enabled": true,
                            "name": "latency-headers"
                        },
                        {
                            "always": true,
                            "enabled": true,
                            "name": "cache-headers"
                        },
                        {
                            "always": false,
                            "enabled": false,
                            "name": "hide-nginx-headers"
                        },
                        {
                            "always": true,
                            "enabled": true,
                            "name": "client-headers"
                        }
                    ],
                    "customResponseHeaders": [
                        {
                            "always": true,
                            "key": "x-custom-header",
                            "value": "3da14f4aea89f"
                        }
                    ]
                }
            }
        ]
    }
}

To create/update Response Headers policy using the web interface:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
  2. On the left menu, select Infrastructure.
  3. Choose the workspace that includes the environment for the cluster you want to add the policy to.
  4. Select the environment for your cluster.
  5. In the list of clusters, locate the cluster you want to add the policy to. On the Actions menu (represented by an ellipsis, …), select Edit Advanced Config.
  6. On the left menu, select Global Policies.
  7. From the list of policies, locate the policy, then select Add Policy from the Actions menu (represented by an ellipsis, …).
  8. Select Save and Submit to deploy the configuration.