Tons of secret headers on outgoing Fetch

I create a cors proxy from sample at https://developers.cloudflare.com/workers/examples/cors-header-proxy . It has customization of course. But I noticed, that the outgoing fetch to http://scooterlabs.com/echo?argname=argval a header echo debug tool, has a bunch of extra headers like Cf-Connecting-Ip, Cf-Worker, Cf-Request-Id, Cdn-Loop, Cf-Visitor, Cf-Ew-Via, X-Forwarded-For, etc. My proxy is connecting to a content server that has some layer 7 HTTP security software, and the extra headers result in the API call being denied.

Simple webservice echo test: make a request to this endpoint to return the HTTP request parameters and headers. Results available in plain text, JSON, or XML formats. See http://www.cantoni.org/2012/01/08/simple-webservice-echo-test for more details, or https://github.com/bcantoni/echotest for source code.

Array
(
    [method] => GET
    [headers] => Array
        (
            [Cf-Connecting-Ip] => 74.64.29.184
            [Cf-Worker] => dansproxy.workers.dev
            [Cf-Request-Id] => 057d1859490000f0410325b000000001
            [Upgrade-Insecure-Requests] => 1
            [Pragma] => no-cache
            [Origin] => http://scooterlabs.com
            [Dnt] => 1
            [User-Agent] => Mozilla/5.0 (Windows NT 6.1; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4250.0 Iron Safari/537.36
            [Referer] => http://scooterlabs.com
            [Cache-Control] => no-cache
            [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
            [Accept-Language] => en-US,en;q=0.9
            [Cdn-Loop] => cloudflare; subreqs=1
            [Cf-Ew-Via] => 15
            [Cf-Visitor] => {"scheme":"http"}
            [X-Forwarded-Proto] => http
            [Cf-Ray] => 5da85cd546ccf041-EWR
            [X-Forwarded-For] => 74.64.29.184
            [Accept-Encoding] => gzip
            [Connection] => close
            [Host] => scooterlabs.com
        )

    [request] => Array
        (
            [argname] => argval
        )

    [client_ip] => 74.64.29.184
    [time_utc] => 2020-09-29T20:13:04+0000
    [info] => Echo service from Scooterlabs (http://www.scooterlabs.com)
)

Even stranger, if I use the Dash Workers Playground/Quick Edit tool, the headers are missing and my outgoing fetch is PERFECTLY identical to how I crafted my Request object, the correct way.

Simple webservice echo test: make a request to this endpoint to return the HTTP request parameters and headers. Results available in plain text, JSON, or XML formats. See http://www.cantoni.org/2012/01/08/simple-webservice-echo-test for more details, or https://github.com/bcantoni/echotest for source code.

Array
(
    [method] => GET
    [headers] => Array
        (
            [Connection] => close
            [Referer] => http://scooterlabs.com
            [Origin] => http://scooterlabs.com
            [Host] => scooterlabs.com
        )

    [request] => Array
        (
            [argname] => argval
        )

    [client_ip] => 130.211.114.17
    [time_utc] => 2020-09-29T20:26:13+0000
    [info] => Echo service from Scooterlabs (http://www.scooterlabs.com)
)

Even stranger my “IP” is 130.211.114.17 which is a Google ASN IP address, not cloudflare IP, when using quick edit tool.

  let h = request.headers;
  h.set('Origin', apiurl.origin)
  h.set('Referer',apiurl.origin)
  h.set('Host', apiurl.host)
  h.delete('X-Forwarded-proto');
  h.delete("Cdn-Loop");
  h.delete("Cf-Connecting-Ip");
  h.delete("Cf-Ew-Via");
  h.delete("Cf-Request-Id");
  h.delete("Cf-Visitor");
  h.delete("Cf-Worker");
  h.delete("X-Forwarded-For");
  let response = await fetch(request)

My proxy does delete the headers if they exist (I never checked if they come from incoming request object or are added to my outgoing request object secretly). But the secret headers are still there!

How do I get rid of all the extra outgoing fetch headers in production? And why doesn’t quick edit worker and production worker produce the same results?

Unfortunately it’s not possible for Cloudflare users to disable these headers. These headers are not really secret, as they’re mostly documented on multiple support/documentation pages such as this one.

The Workers preview tool is hosted on Google Cloud’s infrastructure, which is why you’re seeing that network requests executed from that are actually coming from Google. Once your worker is deployed, all requests going through it will be handled by Cloudflare’s infrastructure as expected.

2 Likes