Envoy Metadata disclosure
Description
The Envoy proxy is misconfigured to include the "x-envoy-peer-metadata" response header, which exposes internal infrastructure details such as service names, namespaces, cluster information, and workload identifiers. This metadata is intended for internal service mesh communication and should not be visible to external clients or untrusted parties.
Remediation
Configure the Envoy proxy to remove the "x-envoy-peer-metadata" header from responses sent to external clients. This can be achieved by adding a response header manipulation rule in the Envoy configuration:
response_headers_to_remove: - "x-envoy-peer-metadata" - "x-envoy-peer-metadata-id"
Alternatively, use the HTTP connection manager's header manipulation settings to strip these headers:
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
response_headers_to_remove:
- "x-envoy-peer-metadata"After applying the configuration changes, restart the Envoy proxy and verify that the headers are no longer present in external responses using tools like curl or browser developer tools.