[ezekg]

This type of behavior, where a CDN flat out ignores a header you’ve set in favor of their own values, without any indication, is incredibly frustrating.

I hit a similar issue when using Cloudflare and the Date header, where I was signing some parts of the response including the Date header. The problem was that if the request hit Cloudflare at just the right^W wrong time, the signature would be invalidated because their Date header value would be different than the original.

They didn’t see it as an issue, even though IIRC the HTTP spec states that a proxy server must not overwrite the Date header if it was set by a prior actor.

Took days of debugging to determine why some requests were producing invalid signatures.