2.2 KiB
2.2 KiB
Gateway Identity Header Strip-and-Overwrite Policy Middleware
Module
Gateway
Status
VERIFIED
Description
Security middleware that enforces identity header integrity at the Gateway/Router level. Strips incoming identity headers from external requests and overwrites them with verified claims from the authenticated session, preventing header spoofing attacks in service-to-service communication.
Implementation Details
- Identity header middleware:
src/Gateway/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs-- strips incoming identity headers and overwrites with verified claims (335 lines) - Claims store:
src/Gateway/StellaOps.Gateway.WebService/Authorization/EffectiveClaimsStore.cs,IEffectiveClaimsStore.cs-- manages effective claims after header processing - Authorization middleware:
src/Gateway/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs-- enforces authorization after identity header processing - Sender constraints:
src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs-- validates sender identity - Source: SPRINT_8100_0011_0002_gateway_identity_header_hardening.md
E2E Test Plan
- Verify incoming identity headers are stripped from external requests
- Test verified claims replace stripped headers correctly
- Verify header spoofing attempts are blocked
- Test service-to-service communication uses verified identity headers
- Verify edge cases and error handling
Verification
- Run ID: run-002
- Date: 2026-02-09
- Method: Tier 1 code review + Tier 2d integration tests
- Build: PASS (0 errors, 0 warnings)
- Tests: PASS (202/202 gateway tests pass)
- Code Review:
- IdentityHeaderPolicyMiddleware (335 lines): Lists 14 reserved headers (X-StellaOps-* and legacy X-Stella-*), strips all from incoming requests, extracts identity from validated ClaimsPrincipal, writes canonical + legacy downstream headers.
- IdentityHeaderPolicyMiddlewareTests (502 lines, 18+ tests): Security-focused assertions verifying spoofed headers are replaced, raw claim headers stripped, scopes sorted deterministically, system paths bypass processing.
- Strongest test coverage in the module.
- Verdict: PASS