Skip to content

Removing 'server: istio-envoy' Header from Istio Responses

Article Number: 000021891

Environment

  • SUSE Rancher 2.x
  • RKE2
  • Rancher-istio application

Situation

When routing a web application through Istio, the HTTP responses may include the header "server: istio-envoy". This may be flagged by security or compliance teams during audits.

Resolution

To remove the server header from the HTTP responses, apply the following EnvoyFilter configuration on the affected cluster:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ef-removeserver
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER 
    match:
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          server_header_transformation: PASS_THROUGH
  - applyTo: ROUTE_CONFIGURATION
    patch:
      operation: MERGE
      value:
        response_headers_to_remove:
        - "server"
  • Ensure this filter is applied in the istio-system namespace or where your ingress gateway is running, depending on your specific deployment setup.
  • This solution uses an EnvoyFilter to remove the server header. The approach is based on community guidance shared in the following GitHub issue: GitHub Issue #13861 - Remove Server Header
  • The configuration uses server_header_transformation: PASS_THROUGH to avoid setting the default istio-envoy value, and explicitly removes the server header from response headers.