Forwarded headers
After validating a session, PassBeyond removes client-supplied identity headers and creates trusted values for the backend.
Identity headers
| Header | Value |
|---|---|
X-Passbeyond-User | Authenticated subject |
REMOTE_USER | Same subject, using the classic non-canonicalized header name |
X-REMOTE-USER | Same subject for application compatibility |
X-Forwarded-User | Same subject for application compatibility |
X-Passbeyond-IssuedAt | JWT issue time in RFC 3339 format |
X-Passbeyond-ExpiresAt | JWT expiry in RFC 3339 format |
X-Passbeyond-Instance-ID | Generated instance identifier used to detect proxy loops |
The subject is the first usable value among mapped email, mapped sAMAccountName, and SAML NameID.
Attribute headers
Mapped SAML data uses X-Passbeyond-Data-<Name>. Common examples are:
X-Passbeyond-Data-Email: alice@example.com
X-Passbeyond-Data-Givenname: Alice
X-Passbeyond-Data-Surname: Example
X-Passbeyond-Data-Department: Engineering
X-Passbeyond-Data-Groups: app-users,report-readersMulti-valued groups are joined with commas. Empty or missing attributes are not added. See Supported claims for source aliases and normalized keys.
HTTP field names are case-insensitive. Applications and intermediaries may display a different capitalization than the examples.
Client address headers
PassBeyond resolves the client address from the direct peer and, only for configured trustedProxies, the first X-Forwarded-For value. It overwrites both headers sent downstream:
X-Forwarded-For: 203.0.113.20
X-Real-IP: 203.0.113.20Authorization header
With proxy.useBasicAuth: true, PassBeyond sends the authenticated subject with an empty password:
Authorization: Basic <base64(subject + ":")>Incoming Basic authorization is removed by default. Bearer authorization is retained for backend APIs and token-based flows. YAML option proxy.ignoreAuthorizationHeader: true also retains incoming Basic authorization and should be used only for intentional compatibility.
Headers removed from clients
Before adding its own values, PassBeyond removes:
REMOTE_USERandRemote-User;X-REMOTE-USER;X-Forwarded-User;- any header beginning with
X-Passbeyond-; - Basic
Authorization, unless explicitly preserved.
The __passbeyond_session cookie is removed from the proxied request. Other application cookies remain available to the backend.
Isolate the backend
Header cleanup protects requests passing through PassBeyond. It cannot prevent a direct client from forging these headers when the backend is reachable through another network path.
See Application integrations for choosing an authentication pattern, and Generic header authentication for a backend validation checklist.