Why Headers Matter and How Reverse Proxies May Alter Them
A reverse proxy is a server that sits in front of web servers. It is responsible for intercepting and forwarding client requests (for example, browser’s request) to the web server. Once the web server responds to the proxy, the resources returned to the client appear as if they originated from the web server itself. Usually, reverse proxies are used to help with increasing security, performance, and reliability of offered services. Some of the most commonly reverse proxies include solutions offered by, for example, NGINX, Cloudflare, or Akamai.
Customers that deploy the Cloudentity platform themselves, may want to set up a reverse proxy that will sit in front of the platform and will forward client requests to Cloudentity.
Because a reverse proxy intercepts and forwards the requests to the Cloudentity platform, it is critical for the proxy to correctly forward request headers to Cloudentity in order to keep all of the platform’s functionalities and features working properly. For example, some of the reverse proxies could provide Cloudentity with the IP address of the proxy itself instead of the IP address of the client requesting resources from the platform. Such practice could falsify, for example, the audit events data.
To keep Cloudentity working up to its full potential, make sure that all the headers listed in the tables below are forwarded or set properly by your reverse proxy.
Expected Custom Request Headers Reference
| Header | Description | Expected Value |
|---|---|---|
| True-Client-IP | The True-Client-IP request header identifies the originating IP address of a client connecting to the server through a proxy server. If not provided, the Cloudentity platform check’s the value of the X-Forwarded-For (see below). If both headers are missing, the Cloudentity platform takes the IP address from the HTTP request’s Remote Address. |
End user’s IP address, for example, 100.0.0.1 |
| X-Forwarded-For | The X-Forwarded-For request header contains original visitor IP address (which is the same value of True-Client-IP) and all involved proxy servers addresses. |
Comma-separated list of IP addresses, for example, 100.0.0.1,100.0.0.2,200.0.0.1 |
Expected FAPI/Openbanking Request Headers Reference
| Header | Description | Expected Value |
|---|---|---|
| x-fapi-auth-date | Indicates the last time a customer logged into the client. | x-fapi-auth-date: <date> where the date is supplied as a HTTP-date as defined in section 7.1.1.1 of RFC7231 |
| x-fapi-customer-ip-address | The customer’s IP address if the customer is currently logged in within the third party provider’s application. | x-fapi-customer-ip-address: <ip-address> |
| x-fapi-interaction-id | A RFC4122 UUID to the server to help correlate log entries between the client and the server. | x-fapi-interaction-id: <UUID> |
| x-customer-user-agent | Used in UK Open Banking the header indicates the user-agent the customer is using. | x-customer-user-agent: <product> / <product-version> <comment> |
| x-jws-signature | Contains a detached JWS signature of the body of the payload | x-jws-signature: <jws> where the <jws> is a signature as defined in the RFC7515 |
| x-idempotency-key | Unique request identifier to support idempotency. Used in UK Open Banking | x-idempotency-key: <unique-key> |
| x-v | Used in Consumer Data Right. Version of the API end point requested by the client. Must be set to a positive integer. | x-v: <version> where the version is the highest supported by the Data Holder API version between the x-min-v and x-v. |