fix: normalize allowlist headers when building the allowlist map

CHANGELOG.md

@@ -34,6 +34,7 @@
 * [BUGFIX] generator: fix dimension_mappings and target_info_excluded_dimensions being unconditionally overwritten even when overrides were nil [#6390](https://github.com/grafana/tempo/pull/6390) (@carles-grafana)
 * [BUGFIX] generator: fix panic when `write_relabel_configs` is configured on remote write endpoints [#6396](https://github.com/grafana/tempo/pull/6396) (@carles-grafana)
 * [BUGFIX] fix: reload span_name_sanitization overrides during runtime [#6435](https://github.com/grafana/tempo/pull/6435) (@electron0zero)
+* [BUGFIX] fix: normalize allowlist headers when building the allowlist map [#6481](https://github.com/grafana/tempo/pull/6481) (@javiermolinar)
 
 ### 3.0 Cleanup
 

modules/frontend/pipeline/async_strip_headers_middleware.go

@@ -1,6 +1,8 @@
 package pipeline
 
 import (
+	"net/http"
+
 	"github.com/grafana/tempo/modules/frontend/combiner"
 )
 
@@ -17,7 +19,7 @@ func NewStripHeadersWare(allowList []string) AsyncMiddleware[combiner.PipelineRe
 	// build allowed map
 	allowed := make(map[string]struct{}, len(allowList))
 	for _, header := range allowList {
-		allowed[header] = struct{}{}
+		allowed[http.CanonicalHeaderKey(header)] = struct{}{}
 	}
 
 	return AsyncMiddlewareFunc[combiner.PipelineResponse](func(next AsyncRoundTripper[combiner.PipelineResponse]) AsyncRoundTripper[combiner.PipelineResponse] {
@@ -36,7 +38,7 @@ func (c stripHeadersWare) RoundTrip(req Request) (Responses[combiner.PipelineRes
 	} else {
 		// clear out headers not in allow list
 		for header := range httpReq.Header {
-			if _, ok := c.allowed[header]; !ok {
+			if _, ok := c.allowed[http.CanonicalHeaderKey(header)]; !ok {
 				delete(httpReq.Header, header)
 			}
 		}

modules/frontend/pipeline/async_strip_headers_middleware_test.go

@@ -29,6 +29,24 @@ func TestStripHeaders(t *testing.T) {
 			headers:  map[string][]string{"header1": {"value1"}, "header2": {"value2"}},
 			expected: map[string][]string{"header1": {"value1"}},
 		},
+		{
+			name:     "allow list is case-insensitive",
+			allow:    []string{"x-plugin-id", "AUTHORIZATION"},
+			headers:  map[string][]string{"X-Plugin-Id": {"grafana-assistant"}, "authorization": {"Bearer abc"}, "X-Drop-Me": {"nope"}},
+			expected: map[string][]string{"X-Plugin-Id": {"grafana-assistant"}, "authorization": {"Bearer abc"}},
+		},
+		{
+			name:     "allow list keeps uppercase non-canonical incoming header",
+			allow:    []string{"x-plugin-id", "AUTHORIZATION"},
+			headers:  map[string][]string{"X-PLUGIN-ID": {"grafana-assistant"}, "authorization": {"Bearer abc"}, "X-Drop-Me": {"nope"}},
+			expected: map[string][]string{"X-PLUGIN-ID": {"grafana-assistant"}, "authorization": {"Bearer abc"}},
+		},
+		{
+			name:     "allow list keeps lowercase non-canonical incoming header",
+			allow:    []string{"x-plugin-id", "AUTHORIZATION"},
+			headers:  map[string][]string{"x-plugin-id": {"grafana-assistant"}, "authorization": {"Bearer abc"}, "X-Drop-Me": {"nope"}},
+			expected: map[string][]string{"x-plugin-id": {"grafana-assistant"}, "authorization": {"Bearer abc"}},
+		},
 	}
 
 	for _, tc := range tcs {