From 8a8e8d3fb9c061fa7175cac7bbc17721a1ac5321 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Tue, 10 Mar 2026 13:57:38 +0000 Subject: [PATCH] docs: add blocked headers list for WebSocket Playground proxy Co-Authored-By: David Konigsberg --- .../docs/pages/api-references/api-explorer.mdx | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/fern/products/docs/pages/api-references/api-explorer.mdx b/fern/products/docs/pages/api-references/api-explorer.mdx index e8f0532aa..780ad7b98 100644 --- a/fern/products/docs/pages/api-references/api-explorer.mdx +++ b/fern/products/docs/pages/api-references/api-explorer.mdx @@ -67,6 +67,22 @@ For APIs that support WebSocket connections, the API Explorer includes a **WebSo
+### Blocked headers + +The WebSocket proxy strips certain headers during the connection handshake for security. Custom headers defined in your API definition (such as authentication headers) are forwarded normally. The following headers are blocked: + + +- `Host`, `Origin`, `Referer` +- `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Proto`, `X-Forwarded-Port`, `Forwarded` +- `X-Real-IP`, `True-Client-IP` +- `Connection`, `Keep-Alive`, `Transfer-Encoding`, `TE`, `Trailer`, `Via` +- `Upgrade` +- `Proxy-Authorization`, `Proxy-Connection` +- `Cookie`, `Set-Cookie` +- `X-Request-Id` +- Cloudflare headers: `CF-Connecting-IP`, `CF-IPCountry`, `CF-Ray`, `CF-Visitor` + + ## Control API Explorer availability For OpenAPI specs, the API Explorer is enabled by default for all endpoints. You can disable it globally or per endpoint using the [`x-fern-explorer`](/learn/api-definitions/openapi/extensions/api-explorer-control) extension. This is commonly used to disable the Explorer for destructive operations, payment processing, or admin-only endpoints.