Secret headers are HTTP headers that are sent to your backend server without being exposed to the client. This feature allows you to send sensitive information to your backend server, such as authentication tokens or API keys, to authorize requests that come from Edgee.

How it works

Secret headers work by:
  1. Client-side invisibility: Headers configured as secret are not visible to the client browser
  2. Server-side forwarding: Edgee automatically forwards these headers to your backend server
  3. Secure transmission: Headers are transmitted securely through Edgee’s infrastructure
  4. Backend validation: Your server can validate these headers to ensure requests come from Edgee

Configuration

To enable secret headers, navigate to your project’s Security settings and click on the Secret Headers section.
Secret Headers Configuration

Go to your project > Security > Secret Headers to configure secret headers.

Enabling Secret Headers

  1. Toggle the switch: Click the toggle switch to enable or disable secret headers
  2. Add headers: Click the Add Header button to add new secret headers
  3. Configure headers: For each header, specify:
    • Header Name: The name of the HTTP header (e.g., X-Edgee-Token)
    • Header Value: The value of the header (e.g., your secret token)
  4. Save configuration: Click Save to apply your changes

Header Management

  • Add headers: Use the Add Header button to add multiple secret headers
  • Remove headers: Click the minus icon next to any header to remove it
  • Edit headers: Modify header names and values at any time
  • Validation: The system validates header names and values before saving

Use Cases

Example: API Authentication

Use secret headers to authenticate API requests from Edgee: 
Header Name: X-Edgee-Auth
Header Value: your-secret-api-key
Your backend can validate this header to ensure requests originate from Edgee.

Backend Implementation

Node.js Example

app.use((req, res, next) => {
  const edgeeToken = req.headers['x-edgee-auth'];
  
  if (!edgeeToken || edgeeToken !== 'your-secret-api-key') {
    return res.status(401).json({ error: 'Unauthorized' });
  }
  
  next();
});

Python Example

from flask import request, jsonify

@app.before_request
def validate_edgee_headers():
    edgee_token = request.headers.get('X-Edgee-Auth')
    
    if not edgee_token or edgee_token != 'your-secret-api-key':
        return jsonify({'error': 'Unauthorized'}), 401

Go Example

func validateEdgeeHeaders(next http.HandlerFunc) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        edgeeToken := r.Header.Get("X-Edgee-Auth")
        
        if edgeeToken != "your-secret-api-key" {
            http.Error(w, "Unauthorized", http.StatusUnauthorized)
            return
        }
        
        next.ServeHTTP(w, r)
    }
}

Security Best Practices

  1. Use strong values: Choose complex, random values for your secret headers
  2. Rotate regularly: Periodically update your secret header values
  3. Validate on backend: Always validate secret headers on your backend server
  4. Monitor usage: Track and monitor requests using secret headers
  5. Limit scope: Only use secret headers for necessary authentication/authorization