[Bug] Cannot set custom HTTP headers for custom providers — Cloudflare 403

[lengxii]

Problem

Custom OpenAI-compatible providers behind Cloudflare WAF get 403 blocked because Hermes doesn't send a proper User-Agent header. There is no way to configure custom HTTP headers via config.yaml.

Root Cause

1. headers not in valid config fields — _VALID_CUSTOM_PROVIDER_FIELDS in config.py (line 1711) does not include headers, so it's silently ignored.

2. _apply_client_headers_for_base_url strips headers for unknown providers — run_agent.py line 4647: self._client_kwargs.pop("default_headers", None) removes ALL headers for any provider not in the hardcoded list (openrouter/copilot/kimi/qwen).

3. switch_model drops headers — run_agent.py line 4586: explicitly pops default_headers on model switch.

Expected

Add headers as a supported config field for custom_providers:

custom_providers:
  - name: MyProvider
    base_url: https://api.example.com/v1
    api_key: sk-xxxxx
    model: some-model
    headers:
      User-Agent: Mozilla/5.0 (compatible; OpenAI-Client/1.0)

Headers should be applied to the OpenAI client, survive switch_model, and work in session overrides.

Impact

Common for Chinese provider ecosystem where Cloudflare-protected proxy endpoints are widespread. Currently the only fix is patching source code, which breaks on hermes update.

[b1gerart]

same issue, It's most likely caused by Cloudflare's defense rules.

[klhq]

Adding another use case beyond Cloudflare WAF — MCP tool injection control.

I'm using https://github.com/maximhq/bifrost as an OpenAI-compatible gateway in front of multiple LLM providers. Bifrost auto-injects MCP tool definitions into /v1/chat/completions requests. The only way to suppress this is via the x-bf-mcp-include-tools: __none__ request header.

Without custom header support in Hermes, every Bifrost-routed request gets 186 extra tool definitions injected, blowing past OpenAI's 128-tool limit. The current workaround is patching auxiliary_client.py at 4 client creation sites to detect "bifrost" in the base URL and add default_headers, which breaks on every Hermes update.

PR #9518 would solve this cleanly via model.custom_headers. My ideal config:

model:
    custom_headers:
        x-bf-mcp-include-tools: "__none__"

Happy to test if there's a branch to try.

[alt-glitch]

Related to #12785 — same feature request for configurable HTTP headers on custom providers. This issue provides deeper root cause analysis across three code paths.

[yuanjun-liu]

I have a new solution, use a CLIProxyAPI lcoally to transmit the request. Https -> CLIProxyAPI(lcoally) -> hermes. I had the same question and solved it by this solution.

[konsisumer]

This issue appears to describe the same problem as #12785, #25354.
Maintainer might want to consolidate or pick one as canonical.