stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware.md

1.5 KiB
Raw Blame History

Gateway Identity Header Strip-and-Overwrite Policy Middleware

Module

Gateway

Status

IMPLEMENTED

Description

Security middleware that enforces identity header integrity at the Gateway/Router level. Strips incoming identity headers from external requests and overwrites them with verified claims from the authenticated session, preventing header spoofing attacks in service-to-service communication.

Implementation Details

  • Identity header middleware: src/Gateway/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs -- strips incoming identity headers and overwrites with verified claims
  • Claims store: src/Gateway/StellaOps.Gateway.WebService/Authorization/EffectiveClaimsStore.cs, IEffectiveClaimsStore.cs -- manages effective claims after header processing
  • Authorization middleware: src/Gateway/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs -- enforces authorization after identity header processing
  • Sender constraints: src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs -- validates sender identity
  • Source: SPRINT_8100_0011_0002_gateway_identity_header_hardening.md

E2E Test Plan

  • Verify incoming identity headers are stripped from external requests
  • Test verified claims replace stripped headers correctly
  • Verify header spoofing attempts are blocked
  • Test service-to-service communication uses verified identity headers
  • Verify edge cases and error handling