backend: headlamp: filter sensitive headers in external proxy

[ayushmaan-16]

Description

Headlamp's external proxy was forwarding all incoming headers from the user's browser directly to external services (like ArtifactHub). This was a security risk because sensitive information like Authorization tokens, Cookies, and internal Headlamp headers were being shared with these external targets.

We have fixed this issue by adding a filter. Now, the proxy will strip out these sensitive headers before sending the request to the target URL, making sure no credentials are leaked.

Changes Made

• backend/cmd/headlamp.go:
  • Updated the /externalproxy handler to filter headers.
  • Specifically, it now skips Authorization, Cookie, and any header starting with X-HEADLAMP-.
• backend/cmd/headlamp_test.go:
  • Added a new regression test named TestExternalProxyHeaderFiltering.
  • This test confirms that sensitive headers are removed while normal headers are still sent correctly.

How to Test

Run the following command to verify the fix:

go test -v ./cmd -run TestExternalProxyHeaderFiltering

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ayushmaan-16
Once this PR has been reviewed and has the lgtm label, please assign yolossn for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[illume]

Thanks for working on this.

The commit messages could use some tidying up to match our contribution guidelines. We use Linux kernel style — the contributing guide has the details, and git log shows good examples.

Commits that need attention

• backend: headlamp: filter sensitive headers in external proxy — Description must start with a capital letter — e.g. frontend: HomeButton: Fix the button not frontend: HomeButton: fix the button.

Commit guidelines

• Use atomic commits focused on a single change.
• Use the title format <area>: <Description of changes> — description must start with a capital letter.
• Keep the title under 72 characters (soft requirement).
• Explain the intention and why the change is needed.
• Make commit titles meaningful and describe what changed.
• Do not add code that a later commit rewrites; squash or reorder commits instead.
• Do not include Fixes #NN in commit messages.

Good examples:

• frontend: HomeButton: Fix so it navigates to home
• backend: config: Add enable-dynamic-clusters flag

[Copilot]

Pull request overview

This PR hardens the backend /externalproxy endpoint to reduce credential/header leakage when proxying browser requests to allowed external services (e.g., ArtifactHub).

Changes:

• Added header filtering in the external proxy request path to avoid forwarding sensitive headers.
• Added a regression test intended to ensure sensitive headers are stripped while normal headers are preserved.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
backend/cmd/headlamp.go	Filters selected request headers before forwarding to the external proxy target.
backend/cmd/headlamp_test.go	Adds a regression test covering external proxy header filtering behavior.

Comments suppressed due to low confidence (1)

backend/cmd/headlamp_test.go:2678

• The regression test uses "X-Headlamp-Backend-Token"/"X-Headlamp-Custom" (hyphenated) and only asserts for the "X-HEADLAMP-" prefix, but the backend’s sensitive header is actually "X-HEADLAMP_BACKEND-TOKEN" (underscore). Update the test inputs/assertions so it fails if underscore-form internal headers are forwarded, and consider asserting that internal control headers like "proxy-to"/"Forward-to" are not forwarded either.

	// Set sensitive headers that should be filtered
	req.Header.Set("Authorization", "Bearer sensitive-token")
	req.Header.Set("Cookie", "session=sensitive-cookie")
	req.Header.Set("X-Headlamp-Backend-Token", "sensitive-backend-token")
	req.Header.Set("X-Headlamp-Custom", "sensitive-custom-header")

[illume]

Thanks for the contribution.

Could you take a look at the commit messages in this PR? We follow a Linux kernel style for git commits — see the contributing guide and git log for examples.

Commits that need attention

• backend: headlamp: filter sensitive headers in external proxy — Description must start with a capital letter — e.g. frontend: HomeButton: Fix the button not frontend: HomeButton: fix the button.

Commit guidelines

• Use atomic commits focused on a single change.
• Use the title format <area>: <Description of changes> — description must start with a capital letter.
• Keep the title under 72 characters (soft requirement).
• Explain the intention and why the change is needed.
• Make commit titles meaningful and describe what changed.
• Do not add code that a later commit rewrites; squash or reorder commits instead.
• Do not include Fixes #NN in commit messages.

Good examples:

• frontend: HomeButton: Fix so it navigates to home
• backend: config: Add enable-dynamic-clusters flag

The backend test job in CI is failing. Run cd backend && go test ./... to reproduce the errors locally.

How to run the backend tests

Run cd backend && go test ./... to see all failures. Fix the failing tests and commit the result.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

[illume]

Thanks for working on this.

Looks like there are git conflicts in this PR. Can you fix them up?

How to resolve conflicts

Rebase or merge the latest main into your branch, resolve the conflicts, and push the updated branch.

Would you mind addressing the open Copilot review comments? Please mark each comment as resolved after addressing it.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

[illume]

Thanks for these changes.

Can you please address the open review comments? Once you've resolved each one, please mark it as resolved.