Checksum HTTP filter (proto)

This extension has the qualified name envoy.filters.http.checksum


This extension is only available in contrib images.


This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.


This extension extends and can be used with the following extension category:


This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

Filter to reject responses that don’t match a specified checksum. To avoid holding the entire response in memory, the rejection occurs at the end of the stream.


[extensions.filters.http.checksum.v3alpha.ChecksumConfig proto]

  "checksums": [],
  "reject_unmatched": ...

(repeated extensions.filters.http.checksum.v3alpha.ChecksumConfig.Checksum) A set of matcher and checksum pairs for which, if a path matching path_matcher is requested and the checksum of the response body does not match the sha256, the response will be replaced with a 403 Forbidden status.

If multiple matchers match the same path, the first to match takes precedence.


(bool) If a request doesn’t match any of the specified checksum paths and reject_unmatched is true, the request is rejected immediately with 403 Forbidden.


[extensions.filters.http.checksum.v3alpha.ChecksumConfig.Checksum proto]

  "path_matcher": {...},
  "sha256": ...

(type.matcher.v3.StringMatcher, REQUIRED) A matcher for a path that is expected to have a specific checksum, as specified in the sha256 field.


(string) A hex-encoded sha256 string required to match the sha256sum of the response body of the path specified in the path_matcher field.