Page MenuHomePhabricator
Create Task
Maniphest T417781

haproxy: strip x-wmf-* headers from responses
Closed, ResolvedPublic
Actions

Description

Headers using the prefix x-wmf-* are used internally be the API/REST gateway. They may be included in the response for analytics purposes, but should not be exposed to the client.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
varnish: add trusted_req and rl_class fields to x-analyticsoperations/puppetproduction+56 -0
cache::haproxy: save x-ratelimit-class content for webrequestoperations/puppetproduction+6 -1
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Introduce x_ratelimit_class new variablerepos/sre/haproxykafka!105fabfurx-wmf-ratelimit-classmain
Customize query in GitLab

Related Objects
Search...

Event Timeline

daniel created this task.Feb 18 2026, 1:40 PM
daniel moved this task from Incoming (Needs Triage) to Radar (other teams work) on the MW-Interfaces-Team board.
daniel removed a project: FY2025-26 KR 5.1.
daniel mentioned this in T417780: rest gateway: include x-wmf-* headers in response.Feb 19 2026, 9:39 AM
JAllemandou added a project: Data-Engineering.Feb 19 2026, 1:24 PM
MShilova_WMF subscribed.Feb 19 2026, 6:34 PM
KCVelaga_WMF subscribed.Feb 23 2026, 7:47 AM
Fabfur subscribed.Feb 25 2026, 10:13 AM
gerritbot added a comment.Feb 25 2026, 4:15 PM

Change #1243870 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] cache::haproxy: save x-wmf-ratelimit-class content for webrequest

https://gerrit.wikimedia.org/r/1243870

gerritbot added a project: Patch-For-Review.Feb 25 2026, 4:15 PM
Ottomata removed a project: Data-Engineering.Feb 25 2026, 5:26 PM
CodeReviewBot added a comment.Feb 26 2026, 8:21 AM

fabfur opened https://gitlab.wikimedia.org/repos/sre/haproxykafka/-/merge_requests/105

Introduce x_wmf_ratelimit_class new variable

CodeReviewBot added a comment.Feb 27 2026, 3:02 PM

fabfur merged https://gitlab.wikimedia.org/repos/sre/haproxykafka/-/merge_requests/105

Introduce x_ratelimit_class new variable

Vgutierrez subscribed.Feb 27 2026, 3:47 PM

could I suggest using a dedicated prefix for API/REST gateway headers? We already use internally X-WMF as a prefix on other layers that aren't related to API/REST gateways.

Also in general I'm worried that if we establish that any backend can emit arbitrary x-wmf-* headers and the CDN will silently drop them, we create an incentive for services to overuse this namespace without coordination. That leads to header bloat on internal hops and makes it harder to reason about which headers are meaningful vs accidental.

Joe subscribed.Feb 27 2026, 3:50 PM

I don't want us to make anything under x-wmf be stripped automatically. It limits ourselves in the future.

If you want to go with a prefix approach, for which I have similar doubts to what @Vgutierrez just expressed, I'd rather use something like x-internal- or similar so it's clear, even from the header name, that it should be cleaned and not exposed to the world.

But if we go this way, then we should adopt it for every header we use that has only internal usage, so we can simplify our edge cleanup code.

daniel added a comment.Feb 27 2026, 4:40 PM

The gateway is adding x-wmf-ratelimit-class and x-wmf-ratelimit-policy and x-wmf-user-id to request headers it forwards to backend services. The primary purpose is internal to Envoy, but it seemed useful to have this information available in backend services. We could stop doing that if this is too much bloat.

It seemed like a good idea to use the same header names in both request and response, to avoid confusion.

Furthermore, using just x-ratelimit as a prefix would conflict with a different kind of ratelimit response headers which are used by Envoy internally (but we filter out).

We can change the prefix to x-internal or x-restgw or x-api for sure, we'd just have to update the envoy config and some index definitions for logstash. I don't think the current header names are referenced anywhere else.

We can also just strip the one header for now, and postpone the discussion...

BCornwall subscribed.Feb 27 2026, 4:41 PM
gerritbot added a comment.Mar 2 2026, 11:37 AM

Change #1247034 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] varnish: add headers to x-analytics

https://gerrit.wikimedia.org/r/1247034

gerritbot added a comment.Mar 2 2026, 11:38 AM

Change #1243870 abandoned by Fabfur:

[operations/puppet@production] cache::haproxy: save x-ratelimit-class content for webrequest

Reason:

superseded by 1247034

https://gerrit.wikimedia.org/r/1243870

Joe added a comment.Mar 2 2026, 2:56 PM

For now, let's remove the individual headers at the edge; we will have time to come up with a prefix naming (if any) that we want to use going forward, and to convert the headers to those values.

gerritbot added a comment.Mar 4 2026, 10:31 AM

Change #1247034 merged by Fabfur:

[operations/puppet@production] varnish: add trusted_req and rl_class fields to x-analytics

https://gerrit.wikimedia.org/r/1247034

Maintenance_bot removed a project: Patch-For-Review.Mar 4 2026, 11:31 AM
Raine added a project: User-Raine.Mar 4 2026, 12:33 PM
Raine moved this task from "Should I do it?" triage to Needs Info / Blocked on the User-Raine board.
Raine moved this task from Needs Info / Blocked to Radar on the User-Raine board.
Raine subscribed.
daniel closed this task as Resolved.Mar 5 2026, 8:21 PM
daniel claimed this task.

Done for x-wmf-ratelimit-class for now. Will revisit for a more general solution.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits