client-certificate-auth

Appearance

client-certificate-auth API Reference

client-certificate-auth API Reference / extractor / ExtractorOptions

Interface: ExtractorOptions

Defined in: extractor.js:70

Properties

certificateHeader?

optional certificateHeader?: string

Defined in: extractor.js:74

Custom header name. Trust boundary: the proxy must strip this header from external requests; any source that can set it is trusted to assert client identity.

certificateSource?

optional certificateSource?: "aws-alb" | "aws-alb-verify" | "azure-app-service" | "cloudflare" | "cloudflare-rfc9440" | "envoy" | "traefik"

Defined in: extractor.js:71

Preset configuration. Trust boundary: the proxy must strip the preset's header from external requests; any source that can set it is trusted to assert client identity.

chainHeader?

optional chainHeader?: string

Defined in: extractor.js:77

Optional second header carrying the certificate chain alongside the leaf. Split on commas per RFC 9440, each item parsed with the same headerEncoding, results linked via issuerCertificate. For non-RFC-9440 encodings the comma split may not match the encoding's list convention.

fallbackToSocket?

optional fallbackToSocket?: boolean

Defined in: extractor.js:82

Try socket if header extraction fails

headerEncoding?

optional headerEncoding?: "url-pem" | "url-pem-aws" | "xfcc" | "base64-der" | "rfc9440"

Defined in: extractor.js:81

Header encoding

includeChain?

optional includeChain?: boolean

Defined in: extractor.js:83

Include issuerCertificate chain

verifyHeader?

optional verifyHeader?: string

Defined in: extractor.js:84

Header name for upstream verification status

verifyValue?

optional verifyValue?: string

Defined in: extractor.js:85

Expected value for successful verification

Released under the MIT License.

Copyright © 2013-2026 Tony Gies