client-certificate-auth API Reference

---

client-certificate-auth API Reference / parsers / PRESETS

Variable: PRESETS

const PRESETS: object

Defined in: parsers.js:19

Preset configurations for common reverse proxies. Maps preset name to { header, encoding } configuration, with optional chainHeader for two-header schemes (RFC 9440).

Type Declaration

aws-alb

aws-alb: object

AWS Application Load Balancer in mTLS passthrough mode.

See

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html

aws-alb.encoding

encoding: string = 'url-pem-aws'

aws-alb.header

header: string = 'x-amzn-mtls-clientcert'

aws-alb-verify

aws-alb-verify: object

AWS Application Load Balancer in mTLS verify mode. ALB validates the client certificate against a configured trust store and forwards the leaf as URL-encoded PEM (the leaf only, not the chain) plus parsed subject/issuer/serial/validity headers for convenience.

See

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html

aws-alb-verify.encoding

encoding: string = 'url-pem-aws'

aws-alb-verify.header

header: string = 'x-amzn-mtls-clientcert-leaf'

azure-app-service

azure-app-service: object

Azure App Service mTLS forwarding. App Service injects the bare base64-encoded DER (the body of a PEM cert without delimiters) into X-ARR-ClientCert. Same header convention is used by IIS/ARR.

See

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth

azure-app-service.encoding

encoding: string = 'base64-der'

azure-app-service.header

header: string = 'x-arr-clientcert'

cloudflare

cloudflare: object

Cloudflare with client_certificate_forwarding enabled (legacy Cf-Client-Cert-* header family).

See

https://developers.cloudflare.com/api-shield/security/mtls/configure/

cloudflare.encoding

encoding: string = 'base64-der'

cloudflare.header

header: string = 'cf-client-cert-der-base64'

cloudflare-rfc9440

cloudflare-rfc9440: object

Cloudflare with RFC 9440 forwarding enabled (March 2026 feature). Operators set Client-Cert and Client-Cert-Chain headers via Transform Rules. Leaf is :base64:-wrapped; chain is a structured field list of :base64: items separated by commas.

See

https://developers.cloudflare.com/changelog/post/2026-03-25-rfc9440-mtls-fields/

cloudflare-rfc9440.chainHeader

chainHeader: string = 'client-cert-chain'

cloudflare-rfc9440.encoding

encoding: string = 'rfc9440'

cloudflare-rfc9440.header

header: string = 'client-cert'

envoy

envoy: object

Envoy proxy / Istio service mesh using XFCC header.

See

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert

envoy.encoding

encoding: string = 'xfcc'

envoy.header

header: string = 'x-forwarded-client-cert'

traefik

traefik: object

Traefik with PassTLSClientCert middleware (pem: true). Traefik sends raw base64 (no PEM delimiters, not URL-encoded).

See

https://doc.traefik.io/traefik/middlewares/http/passtlsclientcert/

traefik.encoding

encoding: string = 'base64-der'

traefik.header

header: string = 'x-forwarded-tls-client-cert'