|
| 1 | +# Allowed URL Headers Configuration |
| 2 | +# |
| 3 | +# This file defines which HTTP headers are allowed in URL fetch requests based |
| 4 | +# on URL patterns, and whether they should be treated as sensitive (encrypted |
| 5 | +# in the vault) or not. |
| 6 | +# |
| 7 | +# If no allow-list is specified or this file is empty/missing, NO headers will |
| 8 | +# be allowed in URL requests. |
| 9 | +# |
| 10 | +# Configuration structure: |
| 11 | +# patterns: |
| 12 | +# - url_pattern: A regular expression pattern to match URLs |
| 13 | +# headers: |
| 14 | +# - name: The exact header name (case-insensitive) |
| 15 | +# sensitive: Whether this header contains sensitive information that should |
| 16 | +# be encrypted when stored in the database (requires vault configuration) |
| 17 | +# |
| 18 | +# IMPORTANT: |
| 19 | +# ------------------------------------ |
| 20 | +# When a URL matches MULTIPLE patterns, the union of all allowed headers is used. |
| 21 | +# This means you can compose permissions from multiple patterns for flexibility. |
| 22 | +# |
| 23 | +# Example: A URL matching both pattern A (allows headers X, Y) and pattern B |
| 24 | +# (allows headers Y, Z) will allow headers X, Y, and Z. |
| 25 | +# |
| 26 | +# Security: If ANY matching pattern marks a header as sensitive, it will be |
| 27 | +# treated as sensitive (secure-by-default). |
| 28 | +# |
| 29 | +# Examples: |
| 30 | + |
| 31 | +patterns: |
| 32 | + # GitHub API access - allow authentication headers for GitHub URLs |
| 33 | + - url_pattern: "^https://api\\.github\\.com/.*" |
| 34 | + headers: |
| 35 | + - name: Authorization |
| 36 | + sensitive: true |
| 37 | + - name: Accept |
| 38 | + sensitive: false |
| 39 | + - name: X-GitHub-Api-Version |
| 40 | + sensitive: false |
| 41 | + |
| 42 | + # Generic GitHub content (raw files, releases) - no auth needed |
| 43 | + - url_pattern: "^https://(raw\\.githubusercontent\\.com|github\\.com/.*/releases/download)/.*" |
| 44 | + headers: |
| 45 | + - name: Accept |
| 46 | + sensitive: false |
| 47 | + - name: Accept-Encoding |
| 48 | + sensitive: false |
| 49 | + |
| 50 | + # AWS S3 buckets - allow AWS authentication headers |
| 51 | + - url_pattern: "^https://.*\\.s3\\..+\\.amazonaws\\.com/.*" |
| 52 | + headers: |
| 53 | + - name: Authorization |
| 54 | + sensitive: true |
| 55 | + - name: X-Amz-Date |
| 56 | + sensitive: false |
| 57 | + - name: X-Amz-Content-Sha256 |
| 58 | + sensitive: false |
| 59 | + - name: X-Amz-Security-Token |
| 60 | + sensitive: true |
| 61 | + |
| 62 | + # Generic cloud storage APIs |
| 63 | + - url_pattern: "^https://.*\\.(googleapis\\.com|azure\\.com|digitaloceanspaces\\.com)/.*" |
| 64 | + headers: |
| 65 | + - name: Authorization |
| 66 | + sensitive: true |
| 67 | + - name: X-API-Key |
| 68 | + sensitive: true |
| 69 | + - name: Accept |
| 70 | + sensitive: false |
| 71 | + |
| 72 | + # FTP over HTTP services |
| 73 | + - url_pattern: "^https?://ftp\\..*/.*" |
| 74 | + headers: |
| 75 | + - name: Authorization |
| 76 | + sensitive: true |
| 77 | + - name: Accept |
| 78 | + sensitive: false |
| 79 | + |
| 80 | + # Academic/research data repositories |
| 81 | + - url_pattern: "^https://.*(zenodo\\.org|figshare\\.com|dryad\\.org|dataverse\\.org)/.*" |
| 82 | + headers: |
| 83 | + - name: Authorization |
| 84 | + sensitive: true |
| 85 | + - name: X-API-Key |
| 86 | + sensitive: true |
| 87 | + - name: Accept |
| 88 | + sensitive: false |
| 89 | + |
| 90 | + # HTTPS URLs - basic headers only (most restrictive for unknown sources) |
| 91 | + - url_pattern: "^https://.*" |
| 92 | + headers: |
| 93 | + - name: Accept |
| 94 | + sensitive: false |
| 95 | + - name: Accept-Language |
| 96 | + sensitive: false |
| 97 | + - name: Accept-Encoding |
| 98 | + sensitive: false |
| 99 | + - name: Cache-Control |
| 100 | + sensitive: false |
| 101 | + |
| 102 | +# Security notes: |
| 103 | +# - All matching patterns contribute their allowed headers (union of permissions) |
| 104 | +# - If ANY pattern marks a header as sensitive, it's treated as sensitive |
| 105 | +# - Only add headers that are absolutely necessary for your use case |
| 106 | +# - When in doubt, mark headers as sensitive to ensure encryption |
| 107 | +# - Patterns are order-independent, making configuration more composable |
| 108 | +# - HTTP (non-HTTPS) URLs are generally not recommended and may be blocked |
0 commit comments