microsoft · Tratcher · Jan 4, 2023 · Jan 4, 2023 · Jan 4, 2023
@@ -9,7 +9,7 @@ Headers are a very important part of processing HTTP requests and each have thei
 
 ## YARP header filtering
 
-YARP automatically removes request and response headers that could impact its ability to forward a request correctly, or that may be used maliciously to bypass features of the proxy. A complete list can be found [here](https://github.com/microsoft/reverse-proxy/blob/b0a24521b269c030c50617f9fc56be9b8a3fe247/src/ReverseProxy/Forwarder/RequestUtilities.cs#L65-L81), with some highlights described below.
+YARP automatically removes request and response headers that could impact its ability to forward a request correctly, or that may be used maliciously to bypass features of the proxy. A complete list can be found [here](https://github.com/microsoft/reverse-proxy/blob/main/src/ReverseProxy/Forwarder/RequestUtilities.cs#L63), with some highlights described below.
 
 ### Connection, KeepAlive, Close
 

@@ -60,7 +60,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)
         return _headersToExclude.Contains(headerName);
     }
 
-    private static readonly HashSet<string> _headersToExclude = new(17, StringComparer.OrdinalIgnoreCase)
+    private static readonly HashSet<string> _headersToExclude = new(18, StringComparer.OrdinalIgnoreCase)
     {
         HeaderNames.Connection,
         HeaderNames.TransferEncoding,
@@ -79,6 +79,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)
         HeaderNames.UpgradeInsecureRequests,
         HeaderNames.TE,
         HeaderNames.AltSvc,
+        HeaderNames.StrictTransportSecurity,
     };
 
     // Headers marked as HttpHeaderType.Content in

@@ -33,6 +33,7 @@ public class HttpTransformerTests
         HeaderNames.UpgradeInsecureRequests,
         HeaderNames.TE,
         HeaderNames.AltSvc,
+        HeaderNames.StrictTransportSecurity,
     };
 
     [Fact]