Setting response headers based on cURL response

[NotionCommotion]

A HTTP request is made to the server, Slim creates a Request and Response object, content in the Request is sent to another server using cURL via Guzzle, Guzzle returns its own Response,  and content from Guzzle's response must be returned by the original Slim response.

Would you recommend white-listing or black-listing response headers, and which specific headers?

Similarly, would you recommend white-listing or black-listing the request headers sent via cURL, and which specific headers?

Thanks

<?php
use Psr\Http\Message\ResponseInterface as Response;
use GuzzleHttp\Psr7\Response as CurlResponse;

class ApiResponder
{
    public function delete(Response $httpResponse, CurlResponse $curlResponse) {
        return $this->proxy($httpResponse, $curlResponse);
    }
    //other public methods...

    private function proxy(Response $httpResponse, CurlResponse $curlResponse) {
        foreach($this->getResponseHeaders($curlResponse) as $name=>$value) {
            $httpResponse=$httpResponse->withHeader($name, $value);
        }
        return $httpResponse->withBody($curlResponse->getBody())->withStatus($curlResponse->getStatusCode());
    }

    private function getResponseHeaders(Response $httpResponse):array
    {
        //Blacklist headers which should be returned to original client.  TBD whether I should whitelist headers instead.
        $blacklist=['Date'=>null, 'Server'=>null, 'X-Powered-By'=>null, 'Access-Control-Allow-Origin'=>null, 'Access-Control-Allow-Methods'=>null, 'Access-Control-Allow-Headers'=>null, 'Set-Cookie'=>null];
        return array_diff_key($curlResponse->getHeaders(), $blacklist);
    }

    /**
    * This method doesn't really exist in this class, but is just included to show which headers I am forwarding in the cURL request.
    */
    private function getRequestHeaders($clientRequest):array
    {
        $whitelist=['connection'=>null,'accept'=>null,'accept-encoding'=>null,'accept-language'=>null,'content-type'=>null,'content-length'=>null];
        return array_intersect_key($clientRequest->getHeaders(), $whitelist);
    }
}

 

[requinix]

If you're intending to act as a proxy then the behavior of proxies when it comes to returning headers is defined for HTTP and you should mirror it.

If you're intending to just kinda act as a middleware between the client and the actual source you're communicating with then I would whitelist by mapping the headers you know the remote server will return to headers that your service should return.