Response headers shape how the browser caches, secures, and presents the page. Rewriting them in flight is one of the cleanest ways to test client behavior without rebuilding the backend, and {{previous}} keeps you safe from accidentally throwing away the original value.
Use updateResponseHeaderAction to change a header that the upstream server sent back, before Fluxzy hands the response to the client. The action overwrites the existing value or adds the header if addIfMissing is true. {{previous}} references the original value, which is useful when you want to prepend or append rather than replace.
Common situations:
Cache-Control or Strict-Transport-Security to test how the client behaves under different security policies.Server or X-Powered-By for fingerprint scrubbing during pentests.Content-Disposition to force a download in the browser.Connection critical headers such as Transfer-Encoding, Content-Length, and Connection are filtered out, so the protocol stays consistent.
Insert Access-Control-Allow-Origin: * only when the upstream did not already return one, useful when running a local SPA against a remote API.
rules:
- filter:
typeKind: HostFilter
pattern: api.example.com
actions:
- typeKind: UpdateResponseHeaderAction
headerName: Access-Control-Allow-Origin
headerValue: "*"
addIfMissing: true
Make sure browsers never cache API responses while debugging, regardless of what the backend returns.
rules:
- filter:
typeKind: JsonResponseFilter
actions:
- typeKind: UpdateResponseHeaderAction
headerName: Cache-Control
headerValue: no-store, no-cache, must-revalidate
addIfMissing: true
Replace the upstream server identification with a neutral value when sharing captures with third parties.
rules:
- filter:
typeKind: AnyFilter
actions:
- typeKind: UpdateResponseHeaderAction
headerName: Server
headerValue: redacted
addIfMissing: false
Update and existing response header. If the header does not exists in the original response, the header will be added.
Use {{previous}} keyword to refer to the original value of the header.
Note Headers that alter the connection behaviour will be ignored.
Evaluation scope defines the timing where this filter will be applied.
responseHeaderReceivedFromRemote This scope occurs the moment fluxzy has done parsing the response header.
updateResponseHeaderAction
The following table describes the customizable properties available for this action:
| Property | Type | Description | DefaultValue |
|---|---|---|---|
| headerName | string | ||
| headerValue | string | ||
| addIfMissing | boolean | false |
The following examples apply this action to any exchanges
Update the Server header.
rules:
- filter:
typeKind: AnyFilter
actions:
- typeKind: UpdateResponseHeaderAction
headerName: Server
headerValue: Fluxzy
View definition of UpdateResponseHeaderAction for .NET integration.
The following actions are related to this action:
The original value of the same header in the upstream response. If the header was absent, it expands to an empty string.
Yes. The action runs on the responseHeaderReceivedFromRemote scope, which is before Fluxzy serializes the response back to the client.
Connection and framing headers such as Content-Length, Transfer-Encoding, and Connection are protected. Use mockedResponseAction or content rewriting if you need to change the body.
Use deleteResponseHeaderAction for that. updateResponseHeaderAction is dedicated to replacing or inserting a value, not removing one.