Header policy in ION API Gateway
The header policy allows you to control HTTP header values as API requests and responses pass through ION API Gateway. You can insert new headers, update existing headers, or remove headers entirely.
Header values can be defined as static values or derived dynamically from the context object. The context object contains information about the authenticated user, tenant, client application, and request session.
Key capabilities
- Add, modify, or remove HTTP headers.
- Apply header policies to request or response flows.
- Use static header values.
- Use dynamic header values derived from runtime context variables.
- Attach policies at the API Suite or endpoint level.
Who this affects
- API administrators who configure and manage header policies.
- Integration developers who design API flows requiring header manipulation.
- System architects implementing routing, security, or tracking requirements.
- DevOps engineers configuring tenant-specific or environment-specific header behavior.
Required permissions
- Access to ION API Gateway.
- IONAPI-Administrator role to create and modify policies on API Suites or endpoints.
Business benefits
Enhanced security and compliance:
- Add authentication or authorization headers to requests.
- Remove sensitive headers from responses before they reach clients.
- Implement custom security tokens or tracking identifiers.
Improved observability:
- Add correlation IDs or transaction tracking headers.
- Include user identity information for audit trails.
- Support request tracing across systems.
Flexible integration:
- Adapt requests to meet backend system requirements.
- Transform headers between different API standards.
- Support systems that require specific header formats.
Prerequisites and environment requirements
- Access to the ION API Gateway administration interface.
- IONAPI-Administrator security role.
- Configured API endpoints in ION API Gateway.
- Knowledge of required backend headers.
- Familiarity with XML configuration syntax.
- ION API Gateway deployed in cloud or on-premises environment.
How it works
Policy placement and behavior:
- When attached to the request flow, headers are modified before the request is made to the target backend.
- When attached to the response flow, headers are modified before the response is returned to the client.
The flow in which the policy is attached determines whether it affects the request or response. No additional configuration is required to define the flow.
Supported attachment scopes:
- API Suite level, affecting all endpoints within the Suite.
- Endpoint level, affecting a specific endpoint.
Header actions:
- Set: Creates a new header or updates an existing header value.
- Delete: Removes a specific header or all headers when a wildcard is used.
If a header already exists and the set action is used, the existing value is updated rather than duplicated.
Using the context object
The context object is created when ION API Gateway receives a request. It contains runtime information about the authenticated user, tenant, client application, and request session.
You can reference context variables in header values to generate dynamic headers instead of hardcoding environment-specific values.
| Context variable | Description | Example use case |
|---|---|---|
| context.user.Identity2 | User identity of the authenticated user. | Add user tracking headers. |
| context.url.tenant | Tenant ID extracted from the request URL. | Route to tenant-specific backend services. |
| context.clientId | Client ID from authentication or x-infor-ionapi-source header. | Enable client-specific processing. |
| context.requestSessionId | Transaction ID of the request. | Support request correlation and tracing. |
Context variables are read-only and are populated based on authentication, URL parsing, and configuration data.