Hey Ed,
In my opinion there is nothing wrong with using custom headers. I have seen this concern about proxies stripping headers before but I’m not convinced that it is as big a problem as it is rumored to be. There are certain headers that must be stripped off by intermediaries like Connection and Transfer-Encoding, but that is because they are defined as “hop-by-hop” and not intended to be passed along.
There are some issues where headers with underscores get stripped by nginx by default (http://stackoverflow.com/questions/23231063/simple-nginx-reverse-proxy-seems-to-strip-some-headers)
People have had concerns about Google’s proxy stripping headers, but according to their tech lead, it doesn’t (http://stackoverflow.com/a/28355894/6819).
I would recommend dropping the x- off the beginning of the custom header. Although it is common to see the prefix, it was deprecated a few years ago. https://tools.ietf.org/html/rfc6648
For the API key, I do think it is better to use a header than the URL. Although, the best place to put security keys is in the Authorization header. I’ve written about this before http://www.bizcoder.com/where-oh-where-does-the-api-key-go
One other issue to consider regarding putting values in headers is HTTP caching. By default, caches use the URL as part of the primary cache key. If you move the tenant identifier out of the URL then in order to be able take advantage of caching, then you will need to include that header name in the vary header, so that it becomes part of the secondary cache key. The only problematic part about that is some caches have very limited support for the vary header.
Hope that provides some more fuel for the conversation.
Regards,
Darrel
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.