Add example of empty sensitive headers

Emphasises that it's a black list, and clarifies that you need to set it to empty to get authorization and cookie headers.

Add example of empty sensitive headers
704a874e · Dave Syer · 428ed6c8 · 704a874e
Commit 704a874e authored Nov 03, 2016 by Dave Syer
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

spring-cloud-netflix.adoc docs/src/main/asciidoc/spring-cloud-netflix.adoc +18 -2

No files found.
--- a/docs/src/main/asciidoc/spring-cloud-netflix.adoc
+++ b/docs/src/main/asciidoc/spring-cloud-netflix.adoc
@@ -1470,13 +1470,29 @@ route, e.g.
      url: https://downstream
 ----

-Sensitive headers can also be set globally by setting `zuul.sensitiveHeaders`. If `sensitiveHeaders` is set on a route, this will override the global `sensitiveHeaders` setting.
-
 NOTE: this is the default value for `sensitiveHeaders`, so you don't
 need to set it unless you want it to be different. N.B. this is new in
 Spring Cloud Netflix 1.1 (in 1.0 the user had no control over headers
 and all cookies flow in both directions).

+The `sensitiveHeaders` are a blacklist and the default is not empty,
+so to make Zuul send all headers (except the "ignored" ones) you would
+have to explicitly set it to the empty list. This is necessary if you
+want to pass cookie or authorization headers to your back end. Example:
+
+.application.yml
+[source,yaml]
+----
+ zuul:
+  routes:
+    users:
+      path: /myusers/**
+      sensitiveHeaders: 
+      url: https://downstream
+----
+
+Sensitive headers can also be set globally by setting `zuul.sensitiveHeaders`. If `sensitiveHeaders` is set on a route, this will override the global `sensitiveHeaders` setting.
+
 === Ignored Headers

 In addition to the per-route sensitive headers, you can set a global