Unable to remove Authorization header from the request


I am using Kong Request Transformer plugin to remove Authorization header from the original request.
I have configured plugin with as below:
curl -i -X POST http://kong:8001/routes/my-route/plugins --data “name=request-transformer” --data “config.remove.headers=Authorization”

However it is not removing Authorization header on the upstream.

I have tried to add and remove a random header and it works:
–data “config.remove.headers=custom-header”


Do you have any other plugins enabled for your Kong configuration? What does your request to Kong looks like?


No, I have disabled the rest of the plugins.

My request is:
curl -i -X POST -H “Authorization: Basic eGk6cGFzc3dvcmQ=” -H “custom-header: test” -H “Content-Type: multipart/related” --url http://kong:8000/my-route-url

Looks like Basic-Authentication plugin has a flag ‘config.hide_credentials’ which will remove the credentials when proxying to upstream.

So after enabling Basic-Authentication plugin and the ‘config.hide_credentials’ flag it works!

May be Request Transformer plugin on purpose not removing the header as it is provided with Basic-Authentication plugin?