Pipelines
Modify requests before they reach your backend and format responses before they return to the client, without changing your backend code.
Quickstart
Add a pipelineConfig to your route to automatically convert an XML request to JSON before it hits your backend, and inject security headers on the response.
{
"pipelineConfig": {
"request": [
{
"action": "request.xmlToJson"
}
],
"response": [
{
"action": "response.securityHeaders"
}
]
}
}Reference
Request Actions
| Action Name | Description |
|---|---|
| removeField | Deletes a specific field from the JSON request body (e.g. removing internal IDs before forwarding). |
| renameField | Changes the key of a JSON field without altering its value. |
| setDefault | Adds a field with a specified value only if the field is currently missing or null. |
| stringTrim | Removes leading and trailing whitespace from a specified string field. |
| stringToLower | Converts the value of a specified string field to lowercase. |
| request.xmlToJson | Converts an XML request body into JSON. Ideal for modernizing legacy SOAP integration. |
| request.setHeader | Adds a new header or overrides an existing one before sending to the upstream. |
| request.removeHeader | Strips a specific header from the request. |
| request.setQueryParam | Adds or overrides a URL query parameter. |
| request.removeQueryParam | Removes a specific URL query parameter. |
Response Actions
| Action Name | Description |
|---|---|
| hideSensitiveData | Redacts a field's value with a specified mask string to prevent leaking PII. |
| response.setHeader | Injects a custom header into the response returned to the client. |
| response.removeHeader | Strips a specific header, such as internal server versions (e.g., X-Powered-By). |
| response.securityHeaders | Automatically injects standard OWASP security headers (HSTS, CSP, etc.). |
| response.jsonToXml | Converts a JSON response back into XML. |
Examples
Data Sanitization
Remove internal administrative flags from incoming requests, and mask Social Security Numbers from the outbound response.
{
"pipelineConfig": {
"request": [
{
"action": "removeField",
"targets": ["isAdmin", "internal_role"]
}
],
"response": [
{
"action": "hideSensitiveData",
"targets": ["user.ssn", "payment.card_number"],
"mask": "***REDACTED***"
}
]
}
}Common Errors
Internal Server Error (500)
Pipeline Action Failed
Fix: Ensure targets exist or are correctly typed. For example, applying stringToLower to an integer field will fail.
Action Skipped
Body parsing failed
Fix: JSON/XML actions require the request/response to have the corresponding Content-Type headers (e.g., application/json). If missing, the body is treated as a stream and text parsing actions are skipped.