I am setting up an NGINX
reverse proxy, which sits in front of an API. I would like to use:
proxy_set_header X-Secret-Key ${SECRET_VALUE};
to add a token to the request, which is then read by the API. ${SECRET_VALUE}
is pulled from a secrets vault and injected into the conf file at runtime. For the purposes of this question, we can assume the secrets vault is secure. We can also assume that the API does not do anything silly, like add X-Secret-Key
to the response headers, and that the connection between the reverse proxy and the API is secure.
My question: is there any way that an attacker can view request headers added by the proxy in this way? Or are they only visible to the proxy itself and the API?
Many thanks.