v0.36.0
New: Preserved Header Casing for Inject Mode
The secrets transform now sends inject-mode headers upstream with the exact casing written in config rather than Go's canonical HTTP form. Previously, a configured header: X-API-KEY was forwarded as X-Api-Key due to http.Header.Set canonicalization. The header is now assigned directly, matching the behavior added for match_headers in v0.35.0. The injected audit annotation now also reflects the wire casing.
inject:
# The header name is sent upstream with the casing written here.
header: "X-API-KEY"
formatter: "Bearer {{ .Value }}"Note: HTTP/2 upstreams lowercase all header names regardless of what iron-proxy sends, so this casing control applies to HTTP/1.x connections only.
New: Hop-by-Hop Header Stripping
iron-proxy now strips hop-by-hop headers and Connection-named tokens from requests before forwarding them upstream, on both HTTP and WebSocket paths. TE: trailers is preserved for gRPC. This prevents proxy-internal headers (such as Transfer-Encoding, Proxy-Authorization, and any custom Connection tokens) from reaching upstream services.
New: Dot-Segment Path Rejection
Request paths containing . or .. segments are now rejected before policy evaluation. This ensures that policy rules are applied to well-formed, normalized paths and that these segments don't reach upstream services.