Request_header_access is a Squid configuration directive that controls which HTTP request headers are allowed through the proxy, which are denied, and which are stripped before forwarding. It lets administrators reduce the amount of sensitive or unnecessary metadata that leaves the proxy, such as Authorization fields, tokens, or client-specific headers.
This matters because proxies sit between users and upstream services, so they often see the most valuable secrets in transit. If a proxy forwards headers it does not need, those values can be exposed to legacy protocol handlers, logged by back-end systems, or leaked when memory-safety bugs occur. In defense, tight request_header_access rules help limit blast radius by removing high-risk headers from requests that do not need them, especially on uncommon paths like FTP gateway support.