Skip to content

feat(secrets): allow rules to not require a matching header#193

Open
drewstone wants to merge 1 commit into
ironsh:mainfrom
drewstone:tangle/0004-allow-connect-without-header
Open

feat(secrets): allow rules to not require a matching header#193
drewstone wants to merge 1 commit into
ironsh:mainfrom
drewstone:tangle/0004-allow-connect-without-header

Conversation

@drewstone

@drewstone drewstone commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

What

Adds a require flag (default true, preserving current behaviour) to secret-injection rules. When a rule is configured require: false and its match header is absent, the request is passed through untransformed instead of rejected. Includes unit tests.

Why

CONNECT / tunnelled flows legitimately carry no matchable header; a strict rule rejects them. require: false lets such a rule apply when the header is present and otherwise step aside. Carried as a local patch in our sandbox-egress deployment; upstreaming to drop it.

Compatibility

Default require: true is the existing behaviour — no change unless a rule opts in.

feat(secrets): allow CONNECT requests without a matching header
70a88e6 
Add a `require` flag (default true) to secret-injection rules so a rule
can be configured non-required: when the configured match header is
absent the request is allowed through untransformed instead of rejected.
Needed for CONNECT/tunnelled flows that legitimately carry no matchable
header. Includes unit tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@drewstone