Skip to content

fix: add headers to metadata for guardrails on pass-through endpoints #17992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
krrishdholakia merged 1 commit into from
Dec 16, 2025
Merged

fix: add headers to metadata for guardrails on pass-through endpoints #17992

krrishdholakia merged 1 commit into from
Dec 16, 2025

Conversation

@NicolaivdSmagt
Copy link
Contributor

@NicolaivdSmagt NicolaivdSmagt commented Dec 15, 2025

Summary

Fixes #17477

Guardrails couldn't access request headers (like User-Agent) on Bedrock pass-through endpoints because headers were only stored in data["proxy_server_request"]["headers"] but not in data["metadata"]["headers"] where guardrails typically look for them.

This fix adds headers to metadata in add_litellm_data_to_request() so guardrails can access User-Agent, API keys, and other header-based checks on all endpoints including Bedrock pass-through.

Changes

  • Added headers to data[metadata]["headers"] in litellm/proxy/litellm_pre_call_utils.py
  • Added test to verify headers are available in metadata for guardrails

Test plan

  • Unit test added: test_add_litellm_data_to_request_adds_headers_to_metadata
  • Manual testing confirmed guardrails can now access User-Agent on Bedrock pass-through

@NicolaivdSmagt
fix: add headers to metadata for guardrails on pass-through endpoints
5f68d28 
Fixes BerriAI#17477

Guardrails couldn't access request headers (like User-Agent) on Bedrock
pass-through endpoints because headers were only stored in
data["proxy_server_request"]["headers"] but not in data["metadata"]["headers"]
where guardrails typically look for them.

This fix adds headers to metadata in add_litellm_data_to_request() so
guardrails can access User-Agent, API keys, and other header-based checks
on all endpoints including Bedrock pass-through.

Test added to verify headers are available in metadata for guardrails.
@vercel
Copy link

vercel bot commented Dec 15, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
litellm Ready Ready Preview, Comment Dec 15, 2025 6:22pm

@CLAassistant
Copy link

CLAassistant commented Dec 15, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@krrishdholakia
Copy link
Contributor

krrishdholakia commented Dec 16, 2025

couldn't this lead to the litellm api key being accidentally logged as part of request metadata? @NicolaivdSmagt

seems dangerous - how can we make it easier to access for you, while preventing this?

it would help to know if you're overriding an individual event hook or using apply_guardrails

@NicolaivdSmagt
Copy link
Contributor Author

NicolaivdSmagt commented Dec 16, 2025

couldn't this lead to the litellm api key being accidentally logged as part of request metadata? @NicolaivdSmagt

seems dangerous - how can we make it easier to access for you, while preventing this?

it would help to know if you're overriding an individual event hook or using apply_guardrails

I'm using a custom guardrail that extends CustomGuardrail and overrides async_pre_call_hook. The use case is restricting access to Claude on Bedrock to only Claude Code clients by validating the User-Agent header. The guardrail extracts the User-Agent from data["metadata"]["headers"] - which is the standard pattern I found in other guardrails like AIM (aim.py:94).

This didn't work on Bedrock pass-through endpoints, because headers were only in data["proxy_server_request"]["headers"], not in data["metadata"]["headers"] where guardrails seem supposed to look.

Re: API key concern: my fix actually uses clean_headers() (line 805) which removes ALL sensitive headers defined in SpecialHeaders - including Authorization, API-Key, x-api-key, etc.

The existing code at line 1007 (which already runs for all endpoints) actually creates headers from dict(request.headers) and only removes authorization, leaving API key variants possibly exposed?

@krrishdholakia krrishdholakia changed the base branch from main to litellm_staging_12_16_2025 December 16, 2025 08:11
@krrishdholakia krrishdholakia merged commit 09ba89d into BerriAI:litellm_staging_12_16_2025 Dec 16, 2025
6 of 7 checks passed
@krrishdholakia
Copy link
Contributor

krrishdholakia commented Dec 16, 2025

Noted - thanks for clarifying @NicolaivdSmagt

@krrishdholakia
Copy link
Contributor

krrishdholakia commented Dec 16, 2025

it's merged into staging, and will be live on Thursday's nightly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting: user response

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: session id and guardrails are not used via bedrock pass through mechanism

3 participants

@NicolaivdSmagt @CLAassistant @krrishdholakia