Stealth Mode: Disguised JSON as PlainText to bypass corporate filters

2026-02-10 22:32:52 +08:00
parent 692964625d
commit bb8ba326ff
2 changed files with 17 additions and 10 deletions
--- a/6
+++ b/6
@@ -7,19 +7,17 @@ ai-gateway.ldex.dev {
        output stdout
    }

-    # Stealth CORS: Reflect the requester's origin instead of using "*"
-    # This avoids the "*, *" duplication and looks less suspicious to Zscaler
+    # Remove the server signature so Zscaler doesn't know it's a Python app
    header {
+        -Server
        Access-Control-Allow-Origin "{header.Origin}"
        Access-Control-Allow-Methods "GET, POST, OPTIONS"
        Access-Control-Allow-Headers "*"
        Access-Control-Expose-Headers "*"
        Access-Control-Allow-Credentials "true"
-        # 'defer' ensures we override any headers sent by the backend
        defer
    }

-    # Handle preflights immediately
    @options {
        method OPTIONS
    }