I'm trying to interact with Walmart's Marketplace API using fetch. Walmart's API requires I provide WM_SVC.NAME headers and several other non-x-prefixed custom headers. It is my understanding that cloudflare's fetch will strip these headers by default. Is there anything I can do to prevent them from being removed?
I have heard that cloudflare pages does not face this restriction, but I want to be sure before I move anything over.
Cloudflare Workers has no problem with custom header names that lack an X- prefix.
However, there is a different problem: the header name contains a . character. While the Cloudflare Workers runtime itself (workerd) supports such header names, it appears that nginx will remove headers containing .s for security reasons. Cloudflare's proxy stack uses nginx, and Workers -- when hosted on Cloudflare -- proxies all incoming and outgoing requests through this stack. Unfortunately, this means that header names containing . characters cannot be used from Cloudflare Workers hosted on Cloudflare.
Cloudflare Pages is based on Workers, and has exactly the same restrictions.
It's odd that Walmart has built their API around header names containing . characters given that they are uncommon and incompatible with software like nginx. You might want to check the documentation to see if there is an alternative spelling of these headers that does not use . -- this is probably an issue that has come up before.
It's possible that Cloudflare will support such header names in the future as nginx is being phased out, but I don't know how soon that might be.
(I'm the lead engineer for Cloudflare Workers.)
