Configuring header policies in ION API Gateway

Use these tasks to attach a header policy to an API Suite or endpoint and configure the policy to set or delete HTTP headers in request and response flows.

Attaching a header policy to an API Suite

Attach a header policy at the API Suite level to apply header changes to all endpoints in the Suite.

  1. Sign in to ION API Gateway.
  2. Open the API Suite where you want to apply the header policy.
  3. Select the policy configuration for the request flow or response flow.
  4. Select Add Policy and select Header.
  5. Specify the policy XML.
  6. Select Save.

Attaching a header policy to an endpoint

Attach a header policy at the endpoint level to apply header changes only to a specific endpoint.

  1. Sign in to ION API Gateway.
  2. Open the API Suite and select the endpoint.
  3. Select the policy configuration for the request flow or response flow.
  4. Select Add Policy and select Header.
  5. Specify the policy XML.
  6. Select Save.

Header policy XML reference

Use the header policy XML to define the header action and the affected header name and value.

Basic header policy configuration:

<header 
    xmlns="http://www.infor.com/ion/api"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    name="policy-name"
    displayName="Display Name"
    enabled="true"
    version="1.0">
    <action>set</action>
    <headerName>header-name</headerName>
    <headerValue>header-value</headerValue>
</header>

Header policy attributes:

Attribute Description Default Required
name Name of the policy instance. n/a Yes
displayName Name to show in logs. n/a No
enabled Indicates whether the policy is enforced. true No
version Policy version. n/a Yes

Supported elements:

  • <action>: Specify set or delete.
  • <headerName>: Specify the affected header name.
  • <headerValue>: Specify the value to set. This element is required only when <action> is set.

Header value options:

  • Static value: Specify the value directly in <headerValue>.
  • Dynamic value: Reference a context variable in the ref attribute.

Static value example:

<headerValue>application/json</headerValue>

Dynamic value example:

<headerValue ref="context.requestSessionId"/>
Note: 

Use context variables to avoid hardcoded tenant-specific or environment-specific values.

Setting a header with a static value

Configure a header policy to set a header to a specified value.

  1. Open the header policy configuration where the policy is attached.
  2. Set <action> to set.
  3. Specify the header name and header value.
    action
    Specify set.
    headerName
    Specify the name of the header to create or update.
    headerValue
    Specify the static value to assign to the header.
  4. Select Save.

Setting a header by using a context variable

Configure a header policy to set a header value dynamically by referencing a context variable.

  1. Open the header policy configuration where the policy is attached.
  2. Set <action> to set.
  3. Specify the header name and reference the context variable in the header value.
    action
    Specify set.
    headerName
    Specify the name of the header to create or update.
    headerValue ref
    Reference a context variable by using the ref attribute, such as context.requestSessionId.
  4. Select Save.

Deleting a header

Configure a header policy to remove a header from the request or response flow.

  1. Open the header policy configuration where the policy is attached.
  2. Set <action> to delete.
  3. Specify the header to delete.
    action
    Specify delete.
    headerName
    Specify the name of the header to remove. To remove all headers in the current flow, specify *.
    Note: 

    Use the wildcard option only when required by your implementation.

  4. Select Save.

Disabling a header policy

Disable a header policy without removing it from the API Suite or endpoint.

  1. Open the header policy configuration where the policy is attached.
  2. Set the enabled attribute in the <header> element to false.
  3. Select Save.

Header policy examples

Use these examples to create header policies for routing, tracing, security, and compatibility.

Examples

Example 1: Tenant routing

Inject a tenant header to support tenant-specific backend routing logic.

<header xmlns="http://www.infor.com/ion/api" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="tenant-routing" displayName="Tenant Routing" enabled="true" version="1.0">
					<action>set</action>
					<headerName>X-Grid-runas-tenant</headerName>
					<headerValue ref="context.user.Tenant"/>
					</header>

Use this policy for multi-tenant applications where tenant routing is handled by backend services.

Example 2: Request correlation and distributed tracing

Add a correlation header to support tracing across multiple services.

<header xmlns="http://www.infor.com/ion/api" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="correlation-id" displayName="Correlation ID" enabled="true" version="1.0">
					<action>set</action>
					<headerName>X-Correlation-ID</headerName>
					<headerValue ref="context.requestSessionId"/>
					</header>

Use this policy for microservices architectures and troubleshooting.

Example 3: Security header removal

Remove a sensitive header before the response is returned to the client.

<header xmlns="http://www.infor.com/ion/api" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="remove-internal-header" displayName="Remove Internal Header" enabled="true" version="1.0">
					<action>delete</action>
					<headerName>X-Internal-Server-ID</headerName>
					</header>

Use this policy to protect internal infrastructure details.

Example 4: User identity propagation

Propagate user identity information to backend services for audit logging or authorization.

<header xmlns="http://www.infor.com/ion/api" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="user-identity" displayName="User Identity Propagation" enabled="true" version="1.0">
					<action>set</action>
					<headerName>X-Authenticated-User</headerName>
					<headerValue ref="context.user.Identity2"/>
					</header>

Use this policy for audit trails and user-specific processing.

Example 5: API versioning

Add a static version header to support compatibility handling in backend services.

<header xmlns="http://www.infor.com/ion/api" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="api-version" displayName="API Version Header" enabled="true" version="1.0">
					<action>set</action>
					<headerName>X-API-Version</headerName>
					<headerValue>2.0</headerValue>
					</header>

Use this policy to support multiple API versions during migration.

Example 6: Overwrite the Content-Type header

Override the Content-Type header so the gateway sends JSON content type.

<header xmlns="http://www.infor.com/ion/api" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="header-example" displayName="header-example" enabled="true" version="1.0">
					<action>set</action>
					<headerName>Content-Type</headerName>
					<headerValue>application/json</headerValue>
					</header>

Use this policy to standardize request and response behavior based on client and server requirements.