Skip to main content

Response Headers


Overview

This module adds and removes headers from the HTTP response before it is returned to the client. This is useful for stripping internal headers or enforcing the use of security headers without modifying upstream applications.

You may interpolate variables into header values to make them dynamic.

Quickstart

Agent CLI

ngrok http 80 \
--response-header-add='content-security-policy: self' \
--response-header-add='dial-duration: ${.backend.dial_duration}' \
--response-header-remove='internal-trace-id'

Agent Configuration File

tunnels:
example:
proto: http
addr: 80
response_headers:
add:
- "content-security-policy: self"
- "dial-duration: ${.backend.dial_duration}"
remove:
- "internal-trace-id"

SSH

ssh -R 443:localhost:80 connect.ngrok-agent.com http \
--response-header-add='content-security-policy: self' \
--response-header-add='dial-duration: ${.backend.dial_duration}' \
--response-header-remove='internal-trace-id'

Go SDK

import (
"context"
"net"

"golang.ngrok.com/ngrok"
"golang.ngrok.com/ngrok/config"
)

func listenResponseHeaders(ctx context.Context) net.Listener {
listener, _ := ngrok.Listen(ctx,
config.HTTPEndpoint(
config.WithResponseHeader("content-security-policy", "self"),
config.WithResponseHeader("dial-duration", "${.backend.dial_duration}"),
config.WithRemoveResponseHeader("internal-trace-id"),
),
ngrok.WithAuthtokenFromEnv(),
)

return listener
}

Rust SDK

use ngrok::prelude::*;

async fn start_tunnel() -> anyhow::Result<impl Tunnel> {
let sess = ngrok::Session::builder()
.authtoken_from_env()
.connect()
.await?;

let tun = sess
.http_endpoint()
.response_header("content-security-policy", "self")
.response_header("dial-duration", "${.backend.dial_duration}")
.remove_response_header("internal-trace-id")
.listen()
.await?;

println!("Listening on URL: {:?}", tun.url());

Ok(tun)
}

Kubernetes Ingress Controller

kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: ngrok-module-set
modules:
headers:
response:
add:
content-security-policy: "self"
dial-duration: "${.backend.dial_duration}"
remove:
- "internal-trace-id"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
k8s.ngrok.com/modules: ngrok-module-set
spec:
ingressClassName: ngrok
rules:
- host: your-domain.ngrok.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80

Edges

Response Headers is a supported HTTP Edge Route module.

Behavior

Ordering

Response header changes made by other modules can be overridden by this module because this module is executed immediately before the HTTP header is written to the client.

http_request_complete.v0 events include any header changes made by this module because those events are published after this module executes.

Variable Interpolation

You may interpolate variables into header values. Variables are interpolated into headers with JSONPath expressions surrounded by the ${} syntax.

For example to return to the duration spent dialing the upstream application, you may construct a header value like so.

ngrok http 80 --response-header-add 'dial-duration: ${.backend.dial_duration}'

If you are specifying variable interpolation from the command line, make sure to use single quotes for the command line argument otherwise it is likely that the shell will interpret your variable definition.

Consult the Variables Reference for the available variables.

Multiple Header Values

HTTP headers may include the same header multiple times. You may add a header multiple times with different values and it will be added multiple times. For example:

ngrok http 80 --response-header-add "foo: bar" --response-header-add "foo: baz"

will result in a header with multiple values set

HTTP/2 200
foo: bar
foo: baz
note

There is a bug which currently causes the above behavior to not be correct. Only the last header to be used when specifying multiple headers. This behavior will be fixed to match what is documented above.

If you remove a header that has multiple values, all values will be removed.

Replacing Header Values

If you add a header that is already present in the HTTP response, it will add another header. For example, if you run:

ngrok http 80 --response-header-add "foo: new-value"

And the HTTP response from the upstream server was:

HTTP/2
foo: original-value

The client will receive the following:

HTTP/2
foo: original-value
foo: new-value

If you wish to replace a header, you can combine header removal and addition to achieve that effect.

ngrok http 80 --response-header-remove "foo" --response-header-add "foo: new-value"

This will cause the HTTP response in this case to become:

HTTP/2
foo: new-value

Case Sensitivity

When adding headers, ngrok normalizes all header keys to a lower case reprsentation per the http/2 RFC. See RFC 7540.

When removing headers, ngrok will remove any headers that match with a case-insensitive comparison.

Reference

Configuration

ParameterDescription
Added HeadersA list of of header names to header values. Max 5.
Removed HeadersA list of of header names to remove. Max 5.

Upstream Headers

This module does not add any upstream headers.

Errors

This module does not return any errors.

Events

This module does not populate any fields in events.

Limits

This module is available on all plans.

If you are not subscribed to a paid account, it is not permitted to remove the ngrok-agent-ip header. This header is part of ngrok's abuse deterrance mechanism.

Variables

ngrok makes variables available for interpolation into headers.

Some variables will only be populated with values if you have configured the corresponding module for your endpoint, otherwise they will be empty. For example, the variable ${.basic_auth.username} is only available if you have enabled the basic auth module on your endpoint.

Backend Variables

${.backend.connection_reused}True if ngrok reused a TCP connection to transmit the HTTP request to the upstream service.
${.backend.dial_duration}The time to establish a connection from ngrok to the agent.
${.backend.id}This is the ngrok ID of the backend that serviced this request. This is empty if the endpoint is not handled by an Edge.

Basic Auth Variables

These variables are only populated when using the Basic Auth module.

${.basic_auth.decision}allow if the request successfully authenticated via the Basic Auth module, block otherwise.
${.basic_auth.username}If the request successfully authenticated via the Basic Auth module, this is the username that authenticated.

Circuit Breaker Variables

These variables are only available when using the Circuit Breaker module.

${.circuit_breaker.decision}Whether the HTTP request was sent to the upstream service. allow if the breaker was closed, block if the breaker was open, allow_while_open if the request was allowed while the breaker is open.

Compression Variables

These variables are only populated when using the Compression module.

${.compression.algorithm}The compression algorithm used to encode responses from the endpoint. Either gzip, deflate, or none.
${.compression.bytes_saved}The difference between the size of the raw response and the size of the response as compressed by ngrok.

Connection Variables

${.conn.bytes_in}The number of bytes arriving at an endpoint from the frontend.
${.conn.bytes_out}The number of bytes leaving an endpoint to the frontend.
${.conn.client_ip}The source IP of the TCP connection to the ngrok edge.
${.conn.duration}The total duration (in seconds) of the TCP connection between the ngrok endpoint and the agent.
${.conn.end_ts}The timestamp when the TCP connection to the ngrok edge is closed.
${.conn.id}The ngrok ID for this TCP connection.
${.conn.server_ip}The IP address of the server that received the request.
${.conn.server_name}The hostname associated with this connection.
${.conn.server_port}The port that the connection for this request came in on.
${.conn.start_ts}The timestamp when the TCP connection to the ngrok edge is established.

Geo IP Variables

The source of this data is subject to change. It is currently provided by MaxMind GeoIP.

${.ngrok.geo.country_code}This is the two-letter ISO country code based on the client IP.
${.ngrok.geo.lat_long_radius_km}This is the radius in kilometers around the latitude and longitude where the client IP is likely to originate.
${.ngrok.geo.latitude}This is the approximate latitude based on the client IP.
${.ngrok.geo.longitude}This is the approximate longitude based on the client IP.

HTTP Variables

${.http.request_id}The unique ngrok-assigned ID of this request.
${.http.request.method}The request method, normalized to uppercase.
${.http.request.url.host}The host component of the request URL.
${.http.request.url.path}The path component of the request URL
${.http.request.url.query}The query string component of the request URL
${.http.request.url.raw}The full URL of the request including scheme, host, path, and query string.
${.http.request.url.scheme}The scheme component of the request URL.
${.http.request.user_agent}The value of the User-Agent header in the request received by ngrok edge.
${.http.request.version}The HTTP version used in the request.
${.http.response.status_code}The status code of the response returned by the ngrok edge.

IP Restrictions Variables

These variables are only populated when using the IP Restrictions module.

${.ip_policy.decision}allow if IP Policy module permitted the request to the upstream service, block otherwise.
${.ip_policy.matching_rule}The rule that triggered an IP Policy match on the endpoint.

Mutual TLS

These variables are only populated when using the Mutual TLS module.

${.tls.client_cert.serial_number}The serial number of the client's leaf TLS certificate in the Mutual TLS handshake.
${.tls.client_cert.subject.cn}The subject common name of the client's leaf TLS certificate in the Mutual TLS handshake.
${.tls.client_cert.subject}The subject of the client's leaf TLS certificate in the Mutual TLS handshake

ngrok Variables

${.ngrok.client_ip}This is the original client IP of the request.
${.ngrok.request_id}This is the unique request ID generated by ngrok

OAuth Variables

These variables are only populated when using the OAuth module.

${.oauth.app_client_id}The is the ID of the OAuth2 application used to handle this request.
${.oauth.decision}'allow' if the OAuth module permitted the request to the upstream service, 'block' otherwise.
${.oauth.user.email}This is the email address of the user that was authenticated.
${.oauth.user.id}The authenticated user's ID returned by the OAuth provider.
${.oauth.user.name}The authenticated user's name returned by the OAuth provider.

OpenID Connect Variables

These variables are only populated when using the OpenID Connect module. These variables are identical to the OAuth Variables.

${.oauth.app_client_id}The is the ID of the OAuth application used to handle this request.
${.oauth.decision}allow if the OpenID Connect module permitted the request to the upstream service, block otherwise.
${.oauth.user.email}This is the email address of the user that was authenticated.
${.oauth.user.id}The authenticated user's ID returned by the OpenID Connect provider.
${.oauth.user.name}The authenticated user's name returned by the OpenID Connect provider.

SAML Variables

These variables are only populated when using the SAML module.

${.ngrok.saml.subject}The SAML subject of the the authenticated user.

TLS Termination Variables

These variables are only populated on requests to HTTPS endpoints.

${.tls.cipher_suite}The cipher suite selected during the TLS handshake.
${.tls.version}The version of the TLS protocol used between the client and the ngrok edge.

Webhook Verification Variables

These variables are only populated when using the Webhook Verification module.

${.webhook_validation.decision}'allow' if the Webhook Verification module permitted the request to the upstream service, 'block' otherwise.

Try it out

First let's create a directory with an example file to serve.

mkdir test-response-headers
cd test-response-headers
echo "response headers test" > t.txt

Next, start ngrok and specify that we want to add a header.

ngrok http file://`pwd` --response-header-add="foo: bar"

In a separate terminal, curl that endpoint.

curl -I https://your-domain.ngrok.app/t.txt

You can see the foo: bar header in the response.

HTTP/2 200
accept-ranges: bytes
content-type: text/plain; charset=utf-8
date: Sat, 29 Jul 2023 14:58:28 GMT
foo: bar
last-modified: Sat, 29 Jul 2023 14:50:23 GMT
ngrok-agent-ips: 1.2.3.4
ngrok-trace-id: 85874fc497b4b0f0d849688dfe4df83c
content-length: 22

Now, let's try removing a header. We'll remove the last-modified header we saw in the previous response. Stop your previous instance of ngrok with Ctrl+C and then restart ngrok with a new command.

ngrok http file://`pwd` --response-header-remove="last-modified"

In a separate terminal, make another request to it.

curl -I https://your-domain.ngrok.app/t.txt

You can see that the last-modified header has been removed from the response.

HTTP/2 200
accept-ranges: bytes
content-type: text/plain; charset=utf-8
date: Sat, 29 Jul 2023 15:01:47 GMT
ngrok-agent-ips: 1.2.3.4
ngrok-trace-id: de01adaa98a96eef167e96485051d786
content-length: 22