strip-cookie-traefik-plugin

A tiny Traefik middleware plugin that strips a configurable list of cookies from the Cookie request header before the request reaches the backend service. Useful when an upstream layer (e.g. a forward-auth SSO middleware) authenticates the user via a cookie that should never reach downstream services — especially third-party ones (Ghost, Metabase, Plausible, Grafana, …) where cookie exposure could leak the user's session token.

The middleware preserves all other cookies untouched, so service-internal cookies (Grafana session, Ghost session, etc.) keep working.

Configuration

Register the plugin via the Plugins Hub flow:

experimental:
  plugins:
    stripCookie:
      moduleName: "github.com/Skiley/strip-cookie-traefik-plugin"
      version: "v1.0.0"

Declare a middleware that uses the plugin and pass the cookies you want stripped:

http:
  middlewares:
    strip-auth-cookies:
      plugin:
        stripCookie:
          cookieNames:
            - "authToken"
            - "anotherCookie"

Then attach it to a router (here, chained after a forward-auth middleware so the auth check still sees the cookie):

http:
  middlewares:
    sso-admin:
      chain:
        middlewares:
          - sso-admin-forward-auth
          - strip-auth-cookies

Or via Docker labels:

labels:
  - "traefik.http.routers.web-admin.middlewares=strip-auth-cookies@file"

Configuration reference

Field	Type	Default	Description
cookieNames	[]string	[]	List of cookie names to remove from the Cookie request header.

When cookieNames is empty, the middleware is a no-op.

How it works

1. Reads the request's Cookie header and parses it into individual cookies.
2. Drops the Cookie header.
3. Re-adds every cookie whose name is NOT in cookieNames.
4. Forwards the request to the next handler.

Behaviour is order-preserving for the kept cookies and case-sensitive on cookie names (HTTP cookie names are case-sensitive per RFC 6265).

License

MIT