Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello, I was wondering if oathkeeper can remove headers from an incoming request, from the documentation you can add headers through the `header` mutator but can we remove them ?

Some specific, like authorization or cookies?

to avoid header forgery we would like to drop the header on incoming requets, so that only oathkeeper can set it during the mutators and to ensure that if the header is present it must be from oathkeeper and it can be trusted

If you setup the same header name, it should overwrite the existing (incoming) header