Optional features

F5 AI Gateway includes a set of optional features which can be enabled using feature flags.

Enable optional features

Optional features are enabled using the AIGW_FEATURES environment variable, specified in the values.yaml file.

See the Features section for valid feature flag values.

Example:

aigw:
  env:
    - name: AIGW_FEATURES
      # Internally all flags are trimmed of leading and trailing whitespace and upper-cased.
      value: "FEATURE_1,FEATURE_2,FEATURE_3"

Features

Header propagation

Warning

This feature is currently experimental and provided on an “as-is” and “try at your own risk” basis.

It may be unstable, incomplete, or subject to change without notice.

By enabling or using this feature, you acknowledge and accept that:

  • The feature has not undergone full security review or production-level testing.

  • The product and its developers make no guarantees regarding the security, reliability, or performance of this feature.

It is strongly recommend that experimental features be tested in non-production environments.

The header propagation feature enables the forwarding of client request and service response headers.

Without header propagation, as is the case when this feature is disabled, any HTTP request headers sent by the client other than X-Request-ID are dropped upon receipt.

Likewise any HTTP response headers returned by the upstream LLM are dropped before writing the client response.

With the header propagation feature enabled operators are given fine-grained control over how AI Gateway handles both HTTP request and HTTP response headers.

See the configuration and enforcement sections below to understand how to configure both request and response policies and how those policies are enforced by F5 AI Gateway.

To enable the header propagation feature, add the CUSTOM_HEADERS flag to the AIGW_FEATURES environment varaible in values.yaml.

aigw:
  env:
    - name: AIGW_FEATURES
      value: "CUSTOM_HEADERS"

Configuration

To enable header propagation start by declaring a new service with the executor custom. The custom executor is an extension of the openai conforming with it’s usage and chat completions API spec.

The custom executor configuration differs from the standard executor configuration in two ways.

  1. The custom executor does not support the use of secrets. Instead, credentials must either be passed through as request headers or configured in the request policy with a static value. An example is included below.

  2. The custom executor introduces a new configuration parameter, headers, which defines header propagation policies.

Each service declaration may define two named header policies:

  1. request – executed on incoming client request headers.

  2. response – executed on outgoing service response headers.

Each policy is configured with a set of rule parameters:

Parameter

Description

Type

allowAll

Allows all headers to pass through. No other options may be specified with this rule though it’s possible to append additional rules to the policy.

boolean

name

Identifies a header as eligible for propagation.

string

value

Sets a default value for the named header. Incoming headers may override this if allowOverride is true.

string

sensitive

Marks a header as sensitive. Sensitive values will be redacted in transaction exports.

boolean

required

Marks a header as required. After all rules (such as value) are applied, this header must be present AND have a non-empty value.

boolean

allowOverride

Allows an incoming header with the same name to override the configured value; otherwise(default) the incoming value is dropped.

boolean

Example Configuration:

services:
  - name: openai
    executor: custom
    type: gpt-4.1
    config:
      endpoint: https://api.openai.com/v1/chat/completions
      headers:
         request:
            # The `name` with no additional options simple allows the passthrough of the header
           - name: "Account-Id"
           - name: "Authorization"
             required: true
             sensitive: true
             # ANONYMOUS acts as a default value for header key 'User-ID'
           - name: "User-Id"
             value: "ANONYMOUS"
         response:
           - allowAll: true

Enforcement

Header propagation rules are enforced as follows:

  1. Any header not listed by name in the policy is dropped.

  2. Headers listed by name are eligible for propagation.

  3. Headers identified by name with a configured value are propagated with that value, unless overridden.

  4. If allowOverride is set to true, the incoming header may override the configured value. Otherwise the incoming header value will be dropped.

  5. Headers marked as required must have a non-empty value—either from the default value or from an incoming headers.

  6. Headers marked as sensitive will have their values redacted in transaction exports.

  7. If allowAll is set to true, all incoming headers are eligible for propagation. Additional rules may still be configured to refine behavior.