Hi Yeah the http filter was filtering only for the producer. We should do it for the consumer as well, so camel-jetty etc do not include Camel headers in the http responses by default.
There is plenty of options already we should not add more. I logged a ticket to let the http filter strategy filter those for both the producer and consumer https://issues.apache.org/jira/browse/CAMEL-9052 On Wed, Aug 5, 2015 at 9:51 AM, James Green <[email protected]> wrote: > We recently had cause to tcpdump an http request from the http4 component > to a web site. We were most surprised to find a load of exchange headers > listed as HTTP "header: value" pairs. > > A quick search on-line brings up a couple of Red Hat / Fuse documents > saying that headers named 'Camel...' are not transmitted onwards, others > are. > > Two concerns: > > 1. We see no documentation concerning this on the http4 component's page > 2. There may be a great many applications deployed unintentionally > transmitting internal headers to third parties potentially in breach of > policy or legal restrictions without human knowledge > > I suggest adding a new option, CopyAllHeadersToHttpHeaders, defaulted to > false. This would allow developers to "correct" their applications without > code changes, and those taking advantage of this facility can switch it on > explicitly. > > This isn't a Camel security vulnerability but I very much expect it to be > leading to information leakage "out there". It is certainly not a behaviour > we expected to see given the documentation. There may be other components > that require similar attention. > > Thoughts? > > James -- Claus Ibsen ----------------- http://davsclaus.com @davsclaus Camel in Action 2nd edition: http://www.manning.com/ibsen2
