Yes, most components (and processors in general) pass along headers. It's a
pattern that's common to message-oriented middleware generally. Often with
CXF, JMS, and HTTP, etc., we use the headerFilterStrategy option to tightly
control which headers flow in and out of Camel.
On Fri, Feb 4, 2022 at 6:03 AM Colm O hEigeartaigh <cohei...@apache.org>
wrote:
> Hi,
>
> It seems Camel has a default behaviour of echoing client headers, at
> least for the CXF component that I tested with, e.g.:
>
> from("cxf://
> http://localhost:8000/service.endpoint?dataFormat=POJO&serviceClass=
> "beans.CXFdemobean")
> .log("message");
>
> Calling it with: curl -H "xyz: whatever"
> http://localhost:8000/service.endpoint -i
>
> it includes in the response headers:
>
> xyz: whatever
>
> I know I have the option of adding a processor with:
>
> exchange.getIn().removeHeaders("*");
>
> However it seems to me very non-intuitive that any HTTP headers sent
> by the client might be echoed back by default. There are potential
> security concerns if for example, the Authorization header is sent
> back to the client. I'm just wondering if this issue came up before or
> if we would consider changing the default behaviour?
>
> Thanks,
>
> Colm.
>
