.. _config_http_conn_man_header_sanitizing: HTTP header sanitizing ====================== For security reasons, Envoy will "sanitize" various incoming HTTP headers depending on whether the request is an internal or external request. The sanitizing action depends on the header and may result in addition, removal, or modification. Ultimately, whether the request is considered internal or external is governed by the :ref:`x-forwarded-for ` header (please read the linked section carefully as how Envoy populates the header is complex and depends on the :ref:`use_remote_address ` setting). Envoy will potentially sanitize the following headers: * :ref:`x-envoy-decorator-operation ` * :ref:`x-envoy-downstream-service-cluster ` * :ref:`x-envoy-downstream-service-node ` * :ref:`x-envoy-expected-rq-timeout-ms ` * :ref:`x-envoy-external-address ` * :ref:`x-envoy-force-trace ` * :ref:`x-envoy-internal ` * :ref:`x-envoy-ip-tags ` * :ref:`x-envoy-max-retries ` * :ref:`x-envoy-retry-grpc-on ` * :ref:`x-envoy-retry-on ` * :ref:`x-envoy-upstream-alt-stat-name ` * :ref:`x-envoy-upstream-rq-per-try-timeout-ms ` * :ref:`x-envoy-upstream-rq-timeout-alt-response ` * :ref:`x-envoy-upstream-rq-timeout-ms ` * :ref:`x-forwarded-client-cert ` * :ref:`x-forwarded-for ` * :ref:`x-forwarded-proto ` * :ref:`x-request-id `