Hey Kevin, great question! Disabling or removing those sensitive Envoy response headers like Server and X-Envoy-Upstream-Service-Time is totally straightforward, and you can do it either globally (for all traffic) or per specific route. Let me walk you through the most common methods:

If you want these headers stripped from every response Envoy sends, tweak your main Envoy config like this:

Remove X-Envoy-Upstream-Service-Time and Custom Headers #

Add a response_headers_to_remove list under your http_connection_manager section. This lets you specify any headers you want to eliminate:

http_connection_manager:
  stat_prefix: ingress_http
  codec_type: auto
  # ... keep your existing config here ...
  response_headers_to_remove:
    - "X-Envoy-Upstream-Service-Time"
    # Add any other sensitive headers you want to remove here

Handle the Server Header Specifically #

The Server header is added by default by Envoy, so it needs a dedicated setting to remove it. Add this to the same http_connection_manager block:

http_connection_manager:
  # ... existing config ...
  server_header_transformation: STRIP

If you ever want to replace it with a custom value instead of removing it entirely, use OVERWRITE with a custom name:

server_header_transformation: OVERWRITE
server_name: "My-Custom-Server-Identifier"

If you only need these headers removed for specific routes (not all traffic), define the removal directly in your route config:

routes:
  - match:
      prefix: "/sensitive-api"
    route:
      cluster: my_sensitive_service_cluster
    # Remove headers exclusively for this route
    response_headers_to_remove:
      - "X-Envoy-Upstream-Service-Time"
      - "Server"

• Header names are case-insensitive in Envoy's config, but matching the actual header casing (like X-Envoy-Upstream-Service-Time) makes your config easier to read.
• You don’t need extra plugins or Lua filters for this—Envoy’s built-in settings handle these scenarios perfectly.

内容的提问来源于stack exchange，提问作者Kevin