proposal: net/http2: add SensitiveHeaders to HTTP/2 Transport

[AmritM18]

Proposal Details

Go's HTTP/2 implementation indexes all headers in the HPACK dynamic table by default. This has two primary impacts:

• Go lacks a mechanism to follow the RFC 7541 recommendation to use a "Never Indexed" representation for sensitive secrets like Authorization or X-API-Key.
• Large, unique headers cause table thrashing by frequently evicting useful static headers. This causes fleet-wide CPU overhead and degrades compression efficiency by forcing common headers to be re-transmitted as literals.

I propose adding a SensitiveHeaders []string field to the Transport. This field allows users to specify case-insensitive header names that the HPACK encoder should flag as "Never Indexed." Setting this at the Transport level ensures a consistent policy across all pooled connections. This applies to the client side of the connection.

type Transport struct {
    // ... existing fields ...
    
    // SensitiveHeaders specifies header names that should never be
    // indexed in HTTP/2 HPACK dynamic tables. Header names are
    // matched case-insensitively. This prevents sensitive data
    // from being stored in HPACK tables and reduces table thrashing
    // from large, unique headers.
    SensitiveHeaders []string
}

Alternatives considered:

• We considered a mechanism to set these headers dynamically using a "magic" header or a "Trailer-like" internal signaling trick (e.g., Headers.Set("__sensitive", "header-name")). We decided on a global approach because it is less cumbersome for headers that are consistently sensitive across a service.
• Libraries like nghttp2 avoid indexing headers larger than 75% of the table size to prevent thrashing. This could be a separate proposal in the future.

[gabyhelp]

Related Issues

• net/http: consider supporting HTTP 2/3 never-indexed literals #71374
• x/net/http2: add support for SETTINGS_HEADER_TABLE_SIZE #56054 (closed)
• x/net/http2: toggle HPACK dynamic table indexing for header #15592
• net/http: add support for SETTINGS_ENABLE_CONNECT_PROTOCOL #53208
• proposal: net/http: Enabling support for HTTP/2 ORIGIN Frames RFC 8336 #55121 (closed)
• net/http: HTTP/2 configuration API #67813 (closed)

Related Discussions

• net/http: move HTTP/2 into the standard library

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[nicholashusin]

Seems like a reasonable feature to support.

Some comments:

• Hopefully not bikeshedding, but I'd prefer the name to be NeverIndexedHeaders or so. I think SensitiveHeaders assumes too much in why someone might not want a header to be indexed (as you mentioned, someone might just want to avoid storing large unique headers for purely performance reasons).
• Using []string might not be the best choice here. When checking if a header should be indexed or not, we'd naturally want this to be a map / set, so a []string type would mean that we'd have to make our own map[string]any internally, which is an extra alloc. Using a map[string]any does not seem ergonomically nice either though. Maybe a new type would be better here, say, HeaderNames, which can also handle canonicalization? Something like below:

---

// HeaderNames is an unordered set of header names.
// Its entries are automatically canonicalized.
type HeaderNames struct {}

func (h *HeaderNames) Add(names ...string)

func (h *HeaderNames) Delete(names ...string)

func (h *HeaderNames) All() iter.Seq[string]

CC: @neild

[neild]

An opaque HeaderNames or HeaderNameSet would also let us deal with case-sensitivity issues once at insertion time.

[AmritM18]

Seems like a reasonable feature to support.

Some comments:

• Hopefully not bikeshedding, but I'd prefer the name to be NeverIndexedHeaders or so. I think SensitiveHeaders assumes too much in why someone might not want a header to be indexed (as you mentioned, someone might just want to avoid storing large unique headers for purely performance reasons).
• Using []string might not be the best choice here. When checking if a header should be indexed or not, we'd naturally want this to be a map / set, so a []string type would mean that we'd have to make our own map[string]any internally, which is an extra alloc. Using a map[string]any does not seem ergonomically nice either though. Maybe a new type would be better here, say, HeaderNames, which can also handle canonicalization? Something like below:

// HeaderNames is an unordered set of header names.
// Its entries are automatically canonicalized.
type HeaderNames struct {}

func (h *HeaderNames) Add(names ...string)

func (h *HeaderNames) Delete(names ...string)

func (h *HeaderNames) All() iter.Seq[string]

CC: @neild

NeverIndexedHeaders makes sense and is more expressive. I will use that instead. I also agree with a new type with an unordered set of header names instead of []string.

I've got some questions about the HeaderNames struct. Would NewHeaderNames returning an immutable struct be enough, or do we want the full dynamic API?

Like so:

type HeaderNames struct {
	m map[string]struct{}
}

func NewHeaderNames(names ...string) *HeaderNames {
	h := &HeaderNames{m: make(map[string]struct{}, len(names))}
	for _, n := range names {
		h.m[strings.ToLower(n)] = struct{}{}
	}
	return h
}

func (h *HeaderNames) contains(name string) bool {
	if h == nil {
		return false
	}
	_, ok := h.m[name]
	return ok
}

Seems like Add and Delete would need locks since the Transport is shared across goroutines. Do we need them or can they be dropped? As for All(), I'm ok either way with adding it or not adding it. What do you suggest?

cc @nicholashusin

[AmritM18]

I have put up a change implementing this proposal here: https://go-review.googlesource.com/c/net/+/770260. I would appreciate if I could get feedback on it.

Benchmarks before and after:

goos: linux
goarch: amd64
pkg: golang.org/x/net/http2
cpu: Intel(R) Xeon(R) CPU @ 2.60GHz
                                                 │ /home/user/before.txt │       /home/user/after.txt        │
                                                 │        sec/op         │   sec/op     vs base              │
ClientRequestHeaders/___0_Headers-96                         62.51µ ± 2%   62.79µ ± 4%       ~ (p=0.937 n=6)
ClientRequestHeaders/__10_Headers-96                         71.10µ ± 1%   72.53µ ± 1%  +2.02% (p=0.004 n=6)
ClientRequestHeaders/_100_Headers-96                         135.1µ ± 2%   135.8µ ± 3%       ~ (p=0.485 n=6)
ClientRequestHeadersNeverIndexed/__10_Headers-96                           72.23µ ± 2%
ClientRequestHeadersNeverIndexed/_100_Headers-96                           136.7µ ± 2%
geomean                                                      84.36µ        90.61µ       +1.01%

                                                 │ /home/user/before.txt │        /home/user/after.txt        │
                                                 │         B/op          │     B/op      vs base              │
ClientRequestHeaders/___0_Headers-96                        4.457Ki ± 0%   4.458Ki ± 1%       ~ (p=0.738 n=6)
ClientRequestHeaders/__10_Headers-96                        6.161Ki ± 0%   6.159Ki ± 0%       ~ (p=0.268 n=6)
ClientRequestHeaders/_100_Headers-96                        29.10Ki ± 0%   29.08Ki ± 0%  -0.05% (p=0.002 n=6)
ClientRequestHeadersNeverIndexed/__10_Headers-96                           6.157Ki ± 0%
ClientRequestHeadersNeverIndexed/_100_Headers-96                           29.07Ki ± 0%
geomean                                                     9.279Ki        10.74Ki       -0.02%

                                                 │ /home/user/before.txt │        /home/user/after.txt        │
                                                 │       allocs/op       │ allocs/op   vs base                │
ClientRequestHeaders/___0_Headers-96                          52.00 ± 0%   52.00 ± 0%       ~ (p=1.000 n=6) ¹
ClientRequestHeaders/__10_Headers-96                          76.00 ± 0%   76.00 ± 0%       ~ (p=1.000 n=6) ¹
ClientRequestHeaders/_100_Headers-96                          346.0 ± 0%   346.0 ± 0%       ~ (p=1.000 n=6) ¹
ClientRequestHeadersNeverIndexed/__10_Headers-96                           76.00 ± 0%
ClientRequestHeadersNeverIndexed/_100_Headers-96                           346.0 ± 0%
geomean                                                       111.0        129.2       +0.00%
¹ all samples are equal

[nicholashusin]

Thanks @AmritM18 , and apologies for the delayed response.

Regarding the API, I personally don't have a particularly strong feeling either way. However, I believe that there is currently a working group that is trying to make a proposal for how a set should look like in Go. I think the right thing to do here is to wait for that. That way, we can ensure that our "header set" API is consistent with the regular set API within the standard library.

[AmritM18]

Hey @nicholashusin thanks for taking a look.

Since we don't need any of the api functionality, then there is no need to use a set here? Instead, we could just have a slice of strings. Performance should be similar since we expect the number of never-indexed headers to be small.

I've put up another CL here using a string slice instead: https://go-review.googlesource.com/c/net/+/771144

What do you think?

[nicholashusin]

Sorry, I think there's a misunderstanding here.

To clarify, what I was trying to get at previously is that I'm not particularly opinionated on what methods / API we should have for HeaderNames, and should instead focus on HeaderNames having a consistent API with the upcoming set proposal. How HeaderNames is implemented under the hood (i.e. whether it uses a slice or not) does not matter that much for a proposal since it's an implementation detail that we can always change. At this stage, we mostly care about what exported symbols will be added (and have to be kept around forever).