Are the details included in the proxy authorization header visible to the target site?

When the connection is established by using HTTP, the proxy authorization header is stripped from the request before the request is routed to the target site.
When HTTPS is used, the removal of the proxy-authorization header depends on your framework.
Under normal functioning this header is sent only in the CONNECT part of the request, in which case it will not get to the target site. This is the most common scenario, and therefore
under normal circumstance and in most frameworks, there is no need to worry about the proxy authorization header being visible to the target site.

However, if for some reason your framework sends this header as well in the GET/POST part of the HTTPS request, we have no access to the proxy-authorization header and cannot remove it.
It is highly recommended to test this issue in advance by sending a request to and examining the headers reported in the response.
If the proxy-authorization header is exposed it will appear in the response.

Was this article helpful?