git.stella-ops.org/docs/features/checked/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware.md

# Gateway Identity Header Strip-and-Overwrite Policy Middleware

## Module
Gateway

## Status
VERIFIED

## Description
Security middleware that enforces identity header integrity at the Gateway/Router level. Strips incoming identity headers from external requests and overwrites them with verified claims from the authenticated session, preventing header spoofing attacks in service-to-service communication.

## Implementation Details
- **Identity header middleware**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs` -- strips incoming identity headers and overwrites with verified claims (335 lines)
- **Claims store**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/EffectiveClaimsStore.cs`, `IEffectiveClaimsStore.cs` -- manages effective claims after header processing
- **Authorization middleware**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs` -- enforces authorization after identity header processing
- **Sender constraints**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs` -- validates sender identity
- **Source**: SPRINT_8100_0011_0002_gateway_identity_header_hardening.md

## E2E Test Plan
- [x] Verify incoming identity headers are stripped from external requests
- [x] Test verified claims replace stripped headers correctly
- [x] Verify header spoofing attempts are blocked
- [x] Test service-to-service communication uses verified identity headers
- [x] Verify edge cases and error handling

## Verification
- **Run ID**: run-002
- **Date**: 2026-02-09
- **Method**: Tier 1 code review + Tier 2d integration tests
- **Build**: PASS (0 errors, 0 warnings)
- **Tests**: PASS (202/202 gateway tests pass)
- **Code Review**:
  - IdentityHeaderPolicyMiddleware (335 lines): Lists 14 reserved headers (X-StellaOps-* and legacy X-Stella-*), strips all from incoming requests, extracts identity from validated ClaimsPrincipal, writes canonical + legacy downstream headers.
  - IdentityHeaderPolicyMiddlewareTests (502 lines, 18+ tests): Security-focused assertions verifying spoofed headers are replaced, raw claim headers stripped, scopes sorted deterministically, system paths bypass processing.
  - Strongest test coverage in the module.
- **Verdict**: PASS