API Connect

 View Only
Expand all | Collapse all

Need to remove the particular response headers

  • 1.  Need to remove the particular response headers

    Posted Fri September 29, 2023 10:25 AM

    Hello Team,

    Can we remove  "X-RateLimit-Limit" and "X-RateLimit_Remaining" from response headers ? If yes please guide, Because I have tried using gatewayscript,Set Variable and by suppressing the headers from DataPower but unable to remove.



    ------------------------------
    Pawan Jinaga
    ------------------------------


  • 2.  RE: Need to remove the particular response headers

    Posted Fri September 29, 2023 04:28 PM

    Hi Pawan,
    What you're running into is when these headers are added to your response headers in relation to your assembly rule.  As you've found out, the headers are being added after your assembly rule completes processing, so your attempts within your API assembly are not working.  What type of Gateway are you using?  For a v5 compatible gateway, a post-response or post-error gateway extension would be your only option.  I've not tried this with the API Gateway to determine if a post-response or post-error global policy would be executed after these headers are added so you could subsequently remove them, but that is the only solution I can think of that MIGHT work.  I'll need to ask around or do a prototype before I can give a definitive answer.
    Best Regards,
    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 3.  RE: Need to remove the particular response headers

    Posted Mon October 02, 2023 09:41 AM

    Hi Pawan,

    From discussions I've had with other developers, this can only be done with a post response global policy and only within the finally clause of the global policy.  The finally clause is only supported starting at DataPower 10.5.0.x, so if you're using API Connect/DataPower versions 10.0.1.x you'll need to upgrade both API Connect and DataPower.

    Best Regards,
    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 4.  RE: Need to remove the particular response headers

    Posted Mon December 04, 2023 12:31 PM
    We have the same issue & we are removing 'X-RateLimit-Limit' header in the finally clause of post response global policy.
    We are still seeing that header in the response in SOAPUI
    Datapower version we are using is 10.5.0.8 & APIC version is 10.0.5.3
    Code snippet:
    finally: 
        - gatewayscript:
             version: 2.0.0
             title: gatewayscript
             source: |-
                        context.message.header.remove('X-RateLimit-Limit');
                        context.message.header.remove('X-RateLimit-Remaining');
    Any thoughts on this is much appreciated. 
    Thanks,
    Mahima



    ------------------------------
    Mahima Annagiri
    ------------------------------



  • 5.  RE: Need to remove the particular response headers

    Posted Mon December 04, 2023 02:16 PM

    Hi Mahima,
    This has been reported by other customers, and a fix will be delivered in the next DataPower fixpack 10.5.0.9 which is in final testing and should be available in the not too distant future (a week or so if all goes well).  If you can be patient, I'd get that fix pack when it is available.  Also, I must correct my previous post where the update to the headers must be in the post-error global policy's finally rule, NOT the post-response that I had incorrectly stated before.  The issue is the global finally, where the post-error finally policies deploy, by default has an action called an API Result action, and the post-error was adding the policies from the global error policy BEFORE the API Result action, but it is this API Results action that fills in the CORS and Rate Limit headers.  The fix properly keeps the API Result action first and adds the global policy actions after the API Results action so the subsequent global policy processing will change what is returned to the end user.

    Best Regards,
    Steve Linn



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 6.  RE: Need to remove the particular response headers

    Posted Wed December 06, 2023 11:26 PM

    Hello @Steve Linn,

    Thanks for the reply. We will try to update when the changes are available. 
    But post error global policy can only contain catch & finally policy, that would mean we will have to create a catch policy even though we do not have a requirement to catch any error globally. For removing the ratelimit headers, post error global policy does not seem to be ideal spot.



    ------------------------------
    Mahima Annagiri
    ------------------------------



  • 7.  RE: Need to remove the particular response headers

    Posted Mon December 11, 2023 10:06 AM

    Hi Mahima,
    10.5.0.9 was made available Friday 12/08.  See https://www.ibm.com/support/pages/node/6607653?myns=swgother&mynp=OCSS9H2Y&mync=E&cm_sp=swgother-_-OCSS9H2Y-_-E As for your question, the post-error global policy is really from a DataPower perspective is executed at the end of all transaction processing, so yes, it may seem an odd place, but as part of the default post transaction finally processing is where the rate-limit and CORS headers are added, so your post-error finally will be where you can remove what the default post transaction processing added.
    Best Regards,
    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 8.  RE: Need to remove the particular response headers

    Posted Mon February 12, 2024 10:50 AM

    Hi @Steve Linn

    Fantastic thread - detailed and knowledgeable answers. Thank you SO much.. We have been pulled around by support and developers for a few weeks now, where we needed to remove some response headers (and some mirrored input headers). We have been old that it was possible using the normal post assembly. But we could not get it working - and have been sending information to them in a continuous stream, he he..

    This explains a lot and suddenly all our frustrations make sense, he he.. We are on API Connect 10.0.5.5 meaning Datapower 10.5.0.7 from much earlier last year.. 

    I guess we will wait for the latest fixes to be available in API Connect as well - and find a workaround until then.. 





    ------------------------------
    Team API
    ------------------------------



  • 9.  RE: Need to remove the particular response headers

    Posted Tue February 20, 2024 11:07 AM

    Hi All, 
    I wanted to add one additional point about the post-error finally handling.  This is for actual API traffic only (ie, HTTP GET, POST, etc).  If an OPTIONS request is sent to handle CORS only, this skips the assembly processing and thus there is no post-response/post-error processing that can catch anything to modify any response headers.  This is by design.  My apologies if there was any confusion on this point.
    Best Regards,

    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 10.  RE: Need to remove the particular response headers

    Posted Fri January 19, 2024 04:41 AM

    Hello there,

    Removing the X rate limit and the X rate limit remaining requires careful handling.  In DataPower, utilize the GatewayScript to access response headers. Implement code to delete specified headers



    ------------------------------
    Sofiya Willams
    ------------------------------