End-to-end headersthat are transmitted to the ultimate recipient of a request or response. End-to-end headers in responses must be stored as part of a cache entry and must be transmitted in any response formed from a cache entry.
Hop-by-hop headersthat are meaningful only for a single transport-level connection, and are not stored by caches or forwarded by proxies.
X-Baras hop-by-hop, which means that a client wants a proxy to remove them from a request before sending it.
Connectionheader itself is the default hop-by-hop header. This implies that a compatible proxy server should not forward a list of custom hop-by-hop headers to the next server in the chain in its
Connectionheader when it forwards the request. However, in practice this does not always occur, some systems either forward the entire
Connectionheader or copy a hop-by-hop list and add it to their own
Connectionheader. For example, most likely HAProxy pass the
Connectionheader untouched, the same behavior with Nginx in reverse proxy mode.
X-Important-Headerand considers its presence in the logical decision.
Cookieheader for an endpoint which requires authentication (assuming the target system uses cookie authentication). For example, let's assume that the
200 OKwith information about user. In this case, the following request may return something other than the expected response if a system is vulnerable:
400 Bad Requestor
501 Not Implemented.
X-Forwarded-Forheader, so that a backend knows a user's IP address. However, if you tell a proxy that
X-Forwarded-Forheader is hop-by-hop, it will remove the header from the request. So a backend will either never receive a user's IP address, or receive an IP address of an element in elsewhere in the chain.