Not having a problem, just wondering if there’s a way to do this.
When using forward_auth, it’s common to have multiple apps on subdomains, app1.example.com, app2.example.com, etc, and an auth server at say login.example.com.
Caddy forwards every request to login.example.com which generally checks a cookie or other header and decides whether to let the request through. All headers are passed through by default.
If app1.example.com gets exploited, it could start using the cookies passed through to it to make authenticated requests to app2.example.com. This is a problem even if your apps are tightly isolated from each other, because app1.example.com would be going through Caddy. You could lock the apps down so they can’t make such requests, but this could be tricky to get right.
What I’m trying to do is tell Caddy to stripe the auth cookies before passing the request through. The docs show how to remove the cookie header entirely, but is there a way to do it selectively, as there are likely app-specific cookies that need to be passed through?