stacklok / toolhive / 21289409352

60%

Build Type

push

github

Committed by web-flow

Commit Message

Add header forward middleware for remote MCP servers (#3423)

* Add header forward middleware for remote MCP servers

Implement middleware that injects configured headers into requests
before they are forwarded to remote MCP servers. This enables
operators to configure headers server-side, removing the burden
from clients.

This commit adds the core middleware; subsequent commits add RunConfig
types, CLI flags, runner wiring, and CRD support.

Key design decisions:
- RestrictedHeaders blocklist prevents misconfiguration of hop-by-hop,
  request smuggling, and identity spoofing headers
- Authorization is allowed with a warning (valid for static tokens)
- Header names are pre-canonicalized at creation time
- Supports both factory pattern (thv run) and direct creation (thv proxy)
- Header values are never logged, only names at DEBUG level

Related: #3316

* Add Forwarded and Http2-Settings to restricted headers

Add two headers to the RestrictedHeaders blocklist per review feedback:

- Forwarded (RFC 7239): The standardized equivalent of X-Forwarded-*
  headers, which are already blocked. Omitting it left an identity
  spoofing gap.

- Http2-Settings (RFC 7540 Section 3.2.1): A hop-by-hop header used
  in HTTP/1.1 to HTTP/2 upgrades. Forwarding it can cause protocol
  confusion and request smuggling. It is the companion to the already
  blocked Upgrade header.

Run Details

43 of 49 new or added lines in 1 file covered. (87.76%)

2 existing lines in 1 file now uncovered.

37040 of 61866 relevant lines covered (59.87%)

79.89 hits per line