Skip to content

fix: forward all request headers in record proxy#58

Merged
jpr5 merged 1 commit intoCopilotKit:mainfrom
iskhakovt:fix/proxy-forward-all-headers
Mar 31, 2026
Merged

fix: forward all request headers in record proxy#58
jpr5 merged 1 commit intoCopilotKit:mainfrom
iskhakovt:fix/proxy-forward-all-headers

Conversation

@iskhakovt
Copy link
Copy Markdown
Contributor

@iskhakovt iskhakovt commented Mar 30, 2026
edited
Loading

Problem

The record proxy only forwards 5 hardcoded request headers to the upstream provider:
authorization, x-api-key, api-key, content-type, accept.

Provider-specific headers are silently dropped. For example, the Anthropic API
requires the anthropic-version header on every request — without it, the API
returns 400:

{'type': 'error', 'error': {'type': 'invalid_request_error',
 'message': 'anthropic-version: header is required'}}

This makes --record mode unusable with the Anthropic provider.

Fix

Forward all request headers by default, stripping only headers that should
not be proxied. The strip list is a module-level constant:

Hop-by-hop headers (RFC 2616 §13.5.1):
connection, keep-alive, transfer-encoding, te, trailer, upgrade,
proxy-authorization, proxy-authenticate

Set by the HTTP client (from target URL / body):
host, content-length

LLM proxy specific (avoid leaking or encoding mismatch):
cookie, accept-encoding

Auth headers (authorization, x-api-key) are still forwarded — they're
no longer special-cased since all non-stripped headers pass through. They
continue to be excluded from saved fixture files (that logic is separate
and unchanged).

Via / X-Forwarded-* are not set or stripped — consistent with how
other LLM proxy tools (LiteLLM, Portkey, Helicone) handle upstream
forwarding, and LLM APIs (OpenAI, Anthropic) do not use them.

claude[bot]
claude bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

@iskhakovt iskhakovt force-pushed the fix/proxy-forward-all-headers branch 3 times, most recently from 17942e9 to 917d2f6 Compare March 30, 2026 10:16
@iskhakovt
fix: forward all request headers in record proxy
91a0744 
The record proxy only forwarded a hardcoded list of headers (authorization,
x-api-key, api-key, content-type, accept), silently dropping provider-specific
headers like anthropic-version. This made --record mode unusable with the
Anthropic API.

Forward all request headers by default, excluding only hop-by-hop headers
that should not be proxied (host, connection, content-length,
transfer-encoding, keep-alive, upgrade).
@iskhakovt iskhakovt force-pushed the fix/proxy-forward-all-headers branch from 917d2f6 to 91a0744 Compare March 30, 2026 10:19
jpr5
jpr5 approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jpr5 jpr5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Daddy like. Thanks!

@jpr5 jpr5 merged commit ff3f2c8 into CopilotKit:main Mar 31, 2026
jpr5 added a commit that referenced this pull request Mar 31, 2026
@jpr5
Release v1.6.1
4b744cd 
Patch release with recorder fixes:
- Preserve upstream URL path prefixes in record proxy (#57)
- Forward all request headers in record proxy (#58)
- Decode base64-encoded embeddings in recorder (#64)
- Guard base64 decode against corrupted data
- Update CHANGELOG, skill docs
@jpr5 jpr5 mentioned this pull request Mar 31, 2026
Merged
jpr5 added a commit that referenced this pull request Mar 31, 2026
@jpr5
Release v1.6.1 (#65)
3b613d6 
## Summary

Patch release capturing recorder fixes that landed since v1.6.0.

### Patch Changes

- Fix record proxy to preserve upstream URL path prefixes (#57)
- Fix record proxy to forward all request headers to upstream (#58)
- Fix recorder to decode base64-encoded embeddings with
`encoding_format: "base64"` (#64)
- Guard base64 decode against corrupted data
- Update CHANGELOG, skill docs, competitive matrix script

### Files changed

- `package.json` — version 1.6.0 → 1.6.1
- `CHANGELOG.md` — new 1.6.1 section
- `skills/write-fixtures/SKILL.md` — recorder docs updated

All 1,327 tests pass. Build clean.
jpr5 added a commit that referenced this pull request Apr 3, 2026
@jpr5
fix: forward all request headers in record proxy (#58)
5c5329e 
## Problem

The record proxy only forwards 5 hardcoded request headers to the
upstream provider:
`authorization`, `x-api-key`, `api-key`, `content-type`, `accept`.

Provider-specific headers are silently dropped. For example, the
Anthropic API
requires the `anthropic-version` header on every request — without it,
the API
returns 400:

```
{'type': 'error', 'error': {'type': 'invalid_request_error',
 'message': 'anthropic-version: header is required'}}
```

This makes `--record` mode unusable with the Anthropic provider.

## Fix

Forward all request headers by default, stripping only headers that
should
not be proxied. The strip list is a module-level constant:

**Hop-by-hop headers** ([RFC 2616
§13.5.1](https://datatracker.ietf.org/doc/html/rfc2616#section-13.5.1)):
`connection`, `keep-alive`, `transfer-encoding`, `te`, `trailer`,
`upgrade`,
`proxy-authorization`, `proxy-authenticate`

**Set by the HTTP client** (from target URL / body):
`host`, `content-length`

**LLM proxy specific** (avoid leaking or encoding mismatch):
`cookie`, `accept-encoding`

Auth headers (`authorization`, `x-api-key`) are still forwarded —
they're
no longer special-cased since all non-stripped headers pass through.
They
continue to be excluded from saved fixture files (that logic is separate
and unchanged).

`Via` / `X-Forwarded-*` are **not** set or stripped — consistent with
how
other LLM proxy tools (LiteLLM, Portkey, Helicone) handle upstream
forwarding, and LLM APIs (OpenAI, Anthropic) do not use them.
jpr5 added a commit that referenced this pull request Apr 3, 2026
@jpr5
Release v1.6.1
afb71bd 
Patch release with recorder fixes:
- Preserve upstream URL path prefixes in record proxy (#57)
- Forward all request headers in record proxy (#58)
- Decode base64-encoded embeddings in recorder (#64)
- Guard base64 decode against corrupted data
- Update CHANGELOG, skill docs
jpr5 added a commit that referenced this pull request Apr 3, 2026
@jpr5
Release v1.6.1 (#65)
cc0a96e 
## Summary

Patch release capturing recorder fixes that landed since v1.6.0.

### Patch Changes

- Fix record proxy to preserve upstream URL path prefixes (#57)
- Fix record proxy to forward all request headers to upstream (#58)
- Fix recorder to decode base64-encoded embeddings with
`encoding_format: "base64"` (#64)
- Guard base64 decode against corrupted data
- Update CHANGELOG, skill docs, competitive matrix script

### Files changed

- `package.json` — version 1.6.0 → 1.6.1
- `CHANGELOG.md` — new 1.6.1 section
- `skills/write-fixtures/SKILL.md` — recorder docs updated

All 1,327 tests pass. Build clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@jpr5 jpr5 jpr5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iskhakovt @jpr5