Trusted headers

Khi nào Gateway inject

Gateway inject trusted headers sau khi:

1. Request không phải public route.
2. Bearer JWT hợp lệ.
3. Route context guard pass.
4. Token có branch/platform context khi route yêu cầu.

Với protected business APIs, token bình thường là branch-scoped accessToken.

Header list đã đóng

Trusted headers sau valid branch token:

• X-Account-Id
• X-Workspace-Id
• X-Member-Id
• X-Active-Branch-Id
• X-Branch-Ids
• X-Roles
• X-Token-Scope=BRANCH
• X-Request-Id
• X-Correlation-Id

Source mapping

Gateway lấy giá trị từ verified JWT claims:

Sanitizing client context

Gateway xóa client-supplied internal context headers trước khi proxy.

Ví dụ client không được tự set:

• X-Account-Id
• X-Workspace-Id
• X-Member-Id
• X-Active-Branch-Id
• X-Branch-Ids
• X-Roles
• X-Token-Scope

Chỉ headers do Gateway inject sau validation mới được xem là trusted.

Downstream rule

Downstream services như Entitlement Service:

• Consume Gateway trusted headers.
• Không trust context body/header do client tự gửi.
• Không verify client JWT lại trong normal internal runtime.
• Dùng trusted context để enforce workspace/member isolation.

Rule cụ thể:

client body workspaceId
must not override
X-Workspace-Id from trusted Gateway context

TODO

• Chưa đóng: Entitlement Service E2E proof cho header consumption qua Gateway.