Skip to content

Forwarded headers

After validating a session, PassBeyond removes client-supplied identity headers and creates trusted values for the backend.

Identity headers

HeaderValue
X-Passbeyond-UserAuthenticated subject
REMOTE_USERSame subject, using the classic non-canonicalized header name
X-REMOTE-USERSame subject for application compatibility
X-Forwarded-UserSame subject for application compatibility
X-Passbeyond-IssuedAtJWT issue time in RFC 3339 format
X-Passbeyond-ExpiresAtJWT expiry in RFC 3339 format
X-Passbeyond-Instance-IDGenerated instance identifier used to detect proxy loops

The subject is the first usable value among mapped email, mapped sAMAccountName, and SAML NameID.

Attribute headers

Mapped SAML data uses X-Passbeyond-Data-<Name>. Common examples are:

http
X-Passbeyond-Data-Email: alice@example.com
X-Passbeyond-Data-Givenname: Alice
X-Passbeyond-Data-Surname: Example
X-Passbeyond-Data-Department: Engineering
X-Passbeyond-Data-Groups: app-users,report-readers

Multi-valued groups are joined with commas. Empty or missing attributes are not added. See Supported claims for source aliases and normalized keys.

HTTP field names are case-insensitive. Applications and intermediaries may display a different capitalization than the examples.

Client address headers

PassBeyond resolves the client address from the direct peer and, only for configured trustedProxies, the first X-Forwarded-For value. It overwrites both headers sent downstream:

http
X-Forwarded-For: 203.0.113.20
X-Real-IP: 203.0.113.20

Authorization header

With proxy.useBasicAuth: true, PassBeyond sends the authenticated subject with an empty password:

http
Authorization: Basic <base64(subject + ":")>

Incoming Basic authorization is removed by default. Bearer authorization is retained for backend APIs and token-based flows. YAML option proxy.ignoreAuthorizationHeader: true also retains incoming Basic authorization and should be used only for intentional compatibility.

Headers removed from clients

Before adding its own values, PassBeyond removes:

  • REMOTE_USER and Remote-User;
  • X-REMOTE-USER;
  • X-Forwarded-User;
  • any header beginning with X-Passbeyond-;
  • Basic Authorization, unless explicitly preserved.

The __passbeyond_session cookie is removed from the proxied request. Other application cookies remain available to the backend.

Isolate the backend

Header cleanup protects requests passing through PassBeyond. It cannot prevent a direct client from forging these headers when the backend is reachable through another network path.

See Application integrations for choosing an authentication pattern, and Generic header authentication for a backend validation checklist.

Released under the MIT License.