What is the Delete Response Header Handler?
The Delete Response Header Handler allows you to remove specific HTTP headers from responses before they're delivered to the client. This gives you control over what information is exposed to end users and external systems. By removing headers, you can enhance security, eliminate unnecessary information, and ensure a consistent experience across different browser environments.
How Delete Response Header Handler Works
When a rule with a Delete Response Header Handler matches an incoming request, the handler removes the specified headers from the response after it's received from your upstream server but before it's sent to the client. If a named header doesn't exist in the response, the handler simply ignores it and continues processing.
This process happens transparently to both your upstream server and the end user, allowing you to filter header information without modifying your application code.
Configuration Options
The Delete Response Header Handler requires a list of headers to remove:
Option | Type | Required | Description |
|
| Yes | An array of header objects to remove from the response |
Each replacement object within the array has these properties:
Property | Type | Required | Description |
|
| Yes | The name of the header to delete (case-insensitive) |
API Reference
When working with Rules through the API, Delete Response Header handlers are represented in JSON format. This is the same structure used in the API endpoints for creating and updating rules.
{
"type": "delete_response_header",
"headers": [
{
"name": "Server"
},
{
"name": "X-Powered-By"
}
]
}
In API requests, this handler would be included in the handlers array of a rule object:
{
"name": "Remove Server Information Headers",
"active": true,
"matchers": [],
"handlers": [
{
"type": "delete_response_header",
"headers": [
{
"name": "Server"
},
{
"name": "X-Powered-By"
}
]
}
]
}
Configuration Examples
Example 1: Removing Server Information
This handler will remove headers that reveal technical details about your server:
In the UI:
In the API:
{
"type": "delete_response_header",
"headers": [
{
"name": "Server"
},
{
"name": "X-Powered-By"
},
{
"name": "X-AspNet-Version"
},
{
"name": "X-Runtime"
}
]
}
Example 2: Removing Default Cache Headers
This handler removes default cache headers to prepare for custom caching:
In the UI:
In the API:
{
"type": "delete_response_header",
"headers": [
{
"name": "Cache-Control"
},
{
"name": "Expires"
},
{
"name": "Pragma"
}
]
}
Common Use Cases
Here are some popular ways to use the Delete Response Header Handler:
Security Enhancement
Remove headers that could expose sensitive information:
Delete Server and X-Powered-By headers to hide technology stack details
Remove X-AspNet-Version or other framework version headers
Strip out custom headers that might reveal internal systems or architectures
Remove headers that expose internal IPs or server names
Preparing for Header Replacement
Clean up existing headers before setting new values:
Remove existing security headers before applying a consistent policy
Delete default cache directives before applying custom caching
Remove old CORS headers before setting updated cross-origin policies
Clear out Content-Type headers before setting more specific types
Standardization Across Different Services
Create consistent responses when proxying to different backends:
Remove varying headers from different services
Delete backend-specific headers for a unified experience
Strip out inconsistent timing or debugging headers
Remove headers that vary between development and production environments
Reducing Response Size
Streamline responses by removing unnecessary headers:
Delete unnecessary metadata headers
Remove deprecated or redundant headers
Strip out verbose tracking or analytics headers
Delete headers that don't provide value to clients
Compliance Requirements
Meet regulatory or privacy standards:
Remove headers that might contain personal data
Delete headers exposing geolocation information
Strip out headers with session or user identifiers when not needed
Remove headers that might violate specific compliance requirements
Fixing Problematic Headers
Resolve issues with malformed or conflicting headers:
Delete incorrectly formatted headers that might cause browser issues
Remove duplicate headers with varying values
Strip out headers known to cause compatibility problems
Delete headers with values exceeding size limits
Combining with Other Handlers
The Delete Response Header handler works particularly well when combined with:
Set Response Header Handler: Remove existing headers before setting new values
Static Response Handler: Clean up default headers in static responses
Replace Response Handler: Remove headers that might no longer be relevant after content changes
For optimal results, the Delete Response Header handler should typically be placed:
Before Set Response Header handler to ensure clean replacement
After any handlers that might modify the response in ways that make certain headers irrelevant
Near the end of your handler chain if you're doing final cleanup before delivery to the client
Best Practices
Be specific about which headers to remove (avoid wildcards or broad removals)
Document why you're removing specific headers for future reference
Test thoroughly after removing headers to ensure functionality isn't affected
Remember that header names are case-insensitive for removal purposes
Consider keeping useful headers that don't pose security or privacy risks
Use this handler in combination with Set Response Header for complete header management
Be cautious when removing standard headers that might be expected by clients
Audit your headers regularly to identify new candidates for removal
Troubleshooting
If your Delete Response Header handler isn't working as expected:
Verify that your matchers are correctly identifying the requests
Check header names for exact spelling (though matching is case-insensitive)
Inspect the original response to confirm the headers exist before deletion
Ensure the handler is ordered correctly in your processing chain
Remember that some headers might be added by intermediate proxies after your rules
Verify that no other handlers are re-adding the headers after deletion
Use browser developer tools to inspect the final headers received by the client
Limitations
Cannot selectively remove headers based on their values, only by name
Some automatically generated headers might be re-added by proxies or CDNs
Certain browsers might enforce specific security headers regardless of server response
Some headers are critical for proper HTTP functioning and should not be removed
Headers can only be removed entirely, not partially modified
Cannot use pattern matching to remove groups of similarly named headers
The Delete Response Header handler provides fine-grained control over the HTTP headers in your responses. By strategically removing unnecessary or sensitive headers, you can enhance security, optimize performance, and ensure a consistent experience for your users.
Until next time, keep building!
Need more help? Reach out via the Intercom chat widget and we'll be right with you!