API Gateway: Whitespace in HTTP header name

book

Article ID: 207975

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

After upgrading the Layer7 infrastructure to version 9.4,  there is a scenario where the client application is making a call to Layer7 with the whitespace at the end of the http header name and Layer7 is dropping this header. However, the same header is accepted in version 9.1. Was this a new functionality or fix in version 9.4 that dropped the http header with a whitespace in the name? Is there any setting to temporarily allow whitespace in the http header name? 

correlationid :: 2ae1b12c-f0a5-4aba-99d8-05d20de3dee4

Environment

API Gateway: 9.2 CR09+

Resolution

Per RFC7230:

"No whitespace is allowed between the header field-name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling."

REF: https://tools.ietf.org/html/rfc7230#section-3.2.4

This was was implemented in GW 9.2 CR09. Any GW version prior to this accepts the whitespace.