Skip to main content

Delete Response Header Handler

Learn how to remove HTTP headers from responses to streamline communication, eliminate sensitive information, or clean up unnecessary metadata before it reaches clients.

Drago Crnjac avatar
Written by Drago Crnjac
Updated over a month ago

What is the Delete Response Header Handler?

The Delete Response Header Handler allows you to remove specific HTTP headers from responses before they're delivered to the client. This gives you control over what information is exposed to end users and external systems. By removing headers, you can enhance security, eliminate unnecessary information, and ensure a consistent experience across different browser environments.

How Delete Response Header Handler Works

When a rule with a Delete Response Header Handler matches an incoming request, the handler removes the specified headers from the response after it's received from your upstream server but before it's sent to the client. If a named header doesn't exist in the response, the handler simply ignores it and continues processing.

This process happens transparently to both your upstream server and the end user, allowing you to filter header information without modifying your application code.

Configuration Options

The Delete Response Header Handler requires a list of headers to remove:

Option

Type

Required

Description

headers

array

Yes

An array of header objects to remove from the response

Each replacement object within the array has these properties:

Property

Type

Required

Description

name

string

Yes

The name of the header to delete (case-insensitive)

API Reference

When working with Rules through the API, Delete Response Header handlers are represented in JSON format. This is the same structure used in the API endpoints for creating and updating rules.

{
  "type": "delete_response_header",
  "headers": [
    {
      "name": "Server"
    },
    {
      "name": "X-Powered-By"
    }
  ]
}

In API requests, this handler would be included in the handlers array of a rule object:

{
  "name": "Remove Server Information Headers",
  "active": true,
  "matchers": [],
  "handlers": [
    {
      "type": "delete_response_header",
      "headers": [
        {
          "name": "Server"
        },
        {
          "name": "X-Powered-By"
        }
      ]
    }
  ]
}

Configuration Examples

Example 1: Removing Server Information

This handler will remove headers that reveal technical details about your server:

In the UI:

In the API:

{
  "type": "delete_response_header",
  "headers": [
    {
      "name": "Server"
    },
    {
      "name": "X-Powered-By"
    },
    {
      "name": "X-AspNet-Version"
    },
    {
      "name": "X-Runtime"
    }
  ]
}

Example 2: Removing Default Cache Headers

This handler removes default cache headers to prepare for custom caching:

In the UI:

In the API:

{
  "type": "delete_response_header",
  "headers": [
    {
      "name": "Cache-Control"
    },
    {
      "name": "Expires"
    },
    {
      "name": "Pragma"
    }
  ]
}

Common Use Cases

Here are some popular ways to use the Delete Response Header Handler:

Security Enhancement

Remove headers that could expose sensitive information:

  • Delete Server and X-Powered-By headers to hide technology stack details

  • Remove X-AspNet-Version or other framework version headers

  • Strip out custom headers that might reveal internal systems or architectures

  • Remove headers that expose internal IPs or server names

Preparing for Header Replacement

Clean up existing headers before setting new values:

  • Remove existing security headers before applying a consistent policy

  • Delete default cache directives before applying custom caching

  • Remove old CORS headers before setting updated cross-origin policies

  • Clear out Content-Type headers before setting more specific types

Standardization Across Different Services

Create consistent responses when proxying to different backends:

  • Remove varying headers from different services

  • Delete backend-specific headers for a unified experience

  • Strip out inconsistent timing or debugging headers

  • Remove headers that vary between development and production environments

Reducing Response Size

Streamline responses by removing unnecessary headers:

  • Delete unnecessary metadata headers

  • Remove deprecated or redundant headers

  • Strip out verbose tracking or analytics headers

  • Delete headers that don't provide value to clients

Compliance Requirements

Meet regulatory or privacy standards:

  • Remove headers that might contain personal data

  • Delete headers exposing geolocation information

  • Strip out headers with session or user identifiers when not needed

  • Remove headers that might violate specific compliance requirements

Fixing Problematic Headers

Resolve issues with malformed or conflicting headers:

  • Delete incorrectly formatted headers that might cause browser issues

  • Remove duplicate headers with varying values

  • Strip out headers known to cause compatibility problems

  • Delete headers with values exceeding size limits

Combining with Other Handlers

The Delete Response Header handler works particularly well when combined with:

  • Set Response Header Handler: Remove existing headers before setting new values

  • Static Response Handler: Clean up default headers in static responses

  • Replace Response Handler: Remove headers that might no longer be relevant after content changes

For optimal results, the Delete Response Header handler should typically be placed:

  • Before Set Response Header handler to ensure clean replacement

  • After any handlers that might modify the response in ways that make certain headers irrelevant

  • Near the end of your handler chain if you're doing final cleanup before delivery to the client

Best Practices

  • Be specific about which headers to remove (avoid wildcards or broad removals)

  • Document why you're removing specific headers for future reference

  • Test thoroughly after removing headers to ensure functionality isn't affected

  • Remember that header names are case-insensitive for removal purposes

  • Consider keeping useful headers that don't pose security or privacy risks

  • Use this handler in combination with Set Response Header for complete header management

  • Be cautious when removing standard headers that might be expected by clients

  • Audit your headers regularly to identify new candidates for removal

Troubleshooting

If your Delete Response Header handler isn't working as expected:

  • Verify that your matchers are correctly identifying the requests

  • Check header names for exact spelling (though matching is case-insensitive)

  • Inspect the original response to confirm the headers exist before deletion

  • Ensure the handler is ordered correctly in your processing chain

  • Remember that some headers might be added by intermediate proxies after your rules

  • Verify that no other handlers are re-adding the headers after deletion

  • Use browser developer tools to inspect the final headers received by the client

Limitations

  • Cannot selectively remove headers based on their values, only by name

  • Some automatically generated headers might be re-added by proxies or CDNs

  • Certain browsers might enforce specific security headers regardless of server response

  • Some headers are critical for proper HTTP functioning and should not be removed

  • Headers can only be removed entirely, not partially modified

  • Cannot use pattern matching to remove groups of similarly named headers

The Delete Response Header handler provides fine-grained control over the HTTP headers in your responses. By strategically removing unnecessary or sensitive headers, you can enhance security, optimize performance, and ensure a consistent experience for your users.

Until next time, keep building!

Need more help? Reach out via the Intercom chat widget and we'll be right with you!

Did this answer your question?