X-Envoy-Upstream-Service-Time
Description
The 'X-Envoy-Upstream-Service-Time' header is added by Envoy Proxy to indicate how long it took (in milliseconds) for the upstream service to process the request. Exposing this header can leak performance metrics or internal timing details, which attackers could use to profile the application, identify potential bottlenecks, or orchestrate timing-based attacks. While not always a critical leak, it can assist malicious actors in fine-tuning denial-of-service attempts or determining which services might be more vulnerable to targeted attacks. Ultimately, leaking this performance data increases the potential for advanced reconnaissance and threat modeling against your infrastructure.
Remediation
Remove or mask the 'X-Envoy-Upstream-Service-Time' header before sending responses to untrusted clients. Configure your Envoy Proxy settings, along with any reverse proxies, load balancers, or CDNs, to avoid passing this header externally. Ensure Envoy and other infrastructure components are kept up to date with the latest security patches to mitigate known vulnerabilities. If performance metrics are needed for internal monitoring, store or visualize them within a secured environment or logging service rather than exposing them in production responses. Periodically review your configuration to confirm that no timing or performance data is unintentionally disclosed to the public.
References
https://www.envoyproxy.io/https://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3