Under what conditions are HTTP request headers removed by proxies?

Question

I\'m looking at various methods of RESTfully versioning APIs, and there are three major contenders. I believe I\'ve all but settled on using X-API-Version. Pu

Answer 1

This isn't an answer per se, but rather a mention of real-world scenario.

My current environment uses a mixed CAS/AD solution in order to allow SSO across several different platforms (classic ASP, ASP.NET, J2EE, you name it).

Recently we identified some issues - part of the solution involves aggregating Auth tokens to HTTP headers whenever necessary to propagate credentials. One specific solution, making considerable heavy usage of cookies, was chained with an nginx implementation, whose HTTP header limit was set to 4KiB. If the cookie payload went over 2KiB, it would start leaking out headers.

Consequently, applications that had some sort of state/scope control being coordinated via HTTP headers (session cookies included) suddenly started behaving erratically.

On an interesting, related note, REST services using URL versioning (http://server/api/vX.X/resource, for example) were unaffected.