docs: refactor headers (authelia#6922)

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

docs/content/blog/release-notes-4.38/index.md

@@ -502,7 +502,7 @@ our containers. The advantage is that since the variable will be available when
 context, even if the configuration paths have changed or you've defined additional paths, the `authelia` command will
 know where the files are if you properly use this variables.
 
-See the [Loading Behaviour and Discovery](../../configuration/methods/files.md#loading-behaviour-and-discovery) section
+See the [Loading behavior and Discovery](../../configuration/methods/files.md#loading-behavior-and-discovery) section
 of the File Methods guide for more information.
 
 #### Templating

docs/content/configuration/identity-providers/openid-connect/clients.md

@@ -209,8 +209,8 @@ their redirect URIs are as follows:
 {{< confkey type="list(string)" required="no" >}}
 
 A whitelist of audiences this client is allowed to request. These audiences were previously automatically granted to all
-access requests unless specifically requested otherwise. The current behaviour is only those requested by the client in
-the `audience` parameter are granted. This behaviour can be tuned using the
+access requests unless specifically requested otherwise. The current behavior is only those requested by the client in
+the `audience` parameter are granted. This behavior can be tuned using the
 [requested_audience_mode](#requested_audience_mode).
 
 This value does not affect the issued ID Tokens as they are always issued with the client identifier being the audience.
@@ -311,7 +311,7 @@ The name of the custom lifespan that this client uses. A custom lifespan is name
 {{< confkey type="string" default="explicit" required="no" >}}
 
 Controls the effective audience the client has requested. The following table describes the possible values and their
-behaviour. This value does not affect the issued ID Tokens as they are always issued with the client identifier being
+behavior. This value does not affect the issued ID Tokens as they are always issued with the client identifier being
 the audience.
 
 |  Value   |                                                   Description                                                    |
@@ -572,14 +572,15 @@ otherwise we assume the default value:
 {{< confkey type="boolean" default="false" required="no" >}}
 
 [RFC6749: Section 2.3](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3) clearly indicates that clients have no
-option but to use a single authentication method. Per the text:
+option but to use a single authentication method in any single request. Authelia by default enforces this behavior, this
+is an escape hatch to turn this policy off for a particular client.
+
+Per the text:
 
 {{< callout context="danger" title="RFC6749: Section 2.3" icon="alert-octagon" >}}
 The client MUST NOT use more than one authentication method in each request.
 {{< /callout >}}
 
-Authelia by default enforces this behaviour, this is an escape hatch to turn this policy off for a particular client.
-
 ### jwks_uri
 
 {{< confkey type="string" required="situational" >}}

docs/content/configuration/methods/files.md

@@ -17,7 +17,7 @@ seo:
   noindex: false # false (default) or true
 ---
 
-## Loading Behaviour and Discovery
+## Loading behavior and Discovery
 
 There are several options which affect the loading of files:
 
@@ -43,7 +43,7 @@ misconfiguration scenarios it's not perfect. Each file type has recommended meth
 
 ### YAML
 
-*Authelia* loads `configuration.yml` as the configuration if you just run it. You can override this behaviour with the
+*Authelia* loads `configuration.yml` as the configuration if you just run it. You can override this behavior with the
 following syntax:
 
 ```bash

docs/content/configuration/miscellaneous/logging.md

@@ -116,7 +116,7 @@ log:
 
 {{< confkey type="boolean" default="false" required="no" >}}
 
-Overrides the behaviour to redirect logging only to the `file_path`. If set to `true` logs will be written to both
+Overrides the behavior to redirect logging only to the `file_path`. If set to `true` logs will be written to both
 standard output, and the defined logging location.
 
 ```yaml

docs/content/configuration/miscellaneous/ntp.md

@@ -106,7 +106,7 @@ in [max_desync](#max_desync) that Authelia fails to start and logs a fatal error
 
 ## Frequently Asked Questions
 
-This section acts as a frequently asked questions for the NTP behaviour and configuration.
+This section acts as a frequently asked questions for the NTP behavior and configuration.
 
 ### Why is this check important and enabled by default?
 

docs/content/configuration/miscellaneous/server-endpoints-authz.md

@@ -30,21 +30,21 @@ server:
       forward-auth:
         implementation: 'ForwardAuth'
         authn_strategies:
-          - name: 'HeaderProxyAuthorization'
+          - name: 'HeaderAuthorization'
             schemes:
               - 'Basic'
           - name: 'CookieSession'
       ext-authz:
         implementation: 'ExtAuthz'
         authn_strategies:
-          - name: 'HeaderProxyAuthorization'
+          - name: 'HeaderAuthorization'
             schemes:
               - 'Basic'
           - name: 'CookieSession'
       auth-request:
         implementation: 'AuthRequest'
         authn_strategies:
-          - name: 'HeaderAuthRequestProxyAuthorization'
+          - name: 'HeaderAuthRequestAuthorization'
             schemes:
               - 'Basic'
           - name: 'CookieSession'

docs/content/configuration/prologue/common.md

@@ -113,7 +113,7 @@ The following format represents the unix domain socket format. It's valid for bo
 instances. Refer to the individual documentation for an option for clarity. In this format as per the notation there
 are no optional portions.
 
-The Unix Domain Socket format also accepts a query string. The following query parameters control certain behaviour of
+The Unix Domain Socket format also accepts a query string. The following query parameters control certain behavior of
 this address type.
 
 | Parameter | Listeners | Connectors |                                                                                                           Purpose                                                                                                            |

docs/content/configuration/session/introduction.md

@@ -21,7 +21,7 @@ seo:
 ---
 
 __Authelia__ relies on session cookies to authorize user access to various protected websites. This section configures
-the session cookie behaviour and the domains which Authelia can service authorization requests for.
+the session cookie behavior and the domains which Authelia can service authorization requests for.
 
 ## Configuration
 
@@ -149,7 +149,7 @@ be used to generate the appropriate redirection URL when authentication is requi
    the [server address option](../miscellaneous/server.md#address) of `authelia` to specify a subpath and if the
    Authelia portal is inaccessible from `https://example.com`).
 
-The appropriate query parameter or header for your relevant proxy can override this behaviour.
+The appropriate query parameter or header for your relevant proxy can override this behavior.
 
 #### default_redirection_url
 

docs/content/contributing/guidelines/pull-request.md

@@ -58,7 +58,7 @@ rewrites history.
 The following requirements must be met for a pull request to be accepted. This list also acts as a checklist for
 maintainers in their review process.
 
-- The changes must be [documented](../prologue/documentation-contributions.md) if they add or change behaviour
+- The changes must be [documented](../prologue/documentation-contributions.md) if they add or change behavior
 - The changes must meet the following guidelines:
   - [General](introduction.md#general-guidelines)
   - [Commit Message]

docs/content/integration/deployment/docker.md

@@ -45,7 +45,7 @@ this section is not meant to document the daemon environment variables.
 
 ### Permission Context
 
-By default the container runs as the configured [Docker] daemon user. Users can control this behaviour in several ways.
+By default the container runs as the configured [Docker] daemon user. Users can control this behavior in several ways.
 
 The first and recommended way is instructing the [Docker] daemon to run the *Authelia* container as another user. See
 the [docker run] or [Docker Compose file reference documentation](https://docs.docker.com/compose/compose-file/05-services/#user)

docs/content/integration/kubernetes/istio.md

@@ -51,8 +51,6 @@ spec:
             - 'authorization'
             - 'proxy-authorization'
           headersToUpstreamOnAllow:
-            - 'authorization'
-            - 'proxy-authorization'
             - 'remote-*'
             - 'authelia-*'
           includeAdditionalHeadersInCheck:

docs/content/integration/kubernetes/nginx-ingress.md

@@ -48,7 +48,7 @@ annotations:
   nginx.ingress.kubernetes.io/auth-method: 'GET'
   nginx.ingress.kubernetes.io/auth-url: 'http://authelia.default.svc.cluster.local/api/authz/auth-request'
   nginx.ingress.kubernetes.io/auth-signin: 'https://auth.example.com?rm=$request_method'
-  nginx.ingress.kubernetes.io/auth-response-headers: 'Authorization,Proxy-Authorization,Remote-User,Remote-Name,Remote-Groups,Remote-Email'
+  nginx.ingress.kubernetes.io/auth-response-headers: 'Remote-User,Remote-Name,Remote-Groups,Remote-Email'
 ```
 
 [ingress-nginx]: https://kubernetes.github.io/ingress-nginx/

docs/content/integration/kubernetes/traefik-ingress.md

@@ -68,8 +68,6 @@ spec:
   forwardAuth:
     address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth'
     authResponseHeaders:
-      - 'Authorization'
-      - 'Proxy-Authorization'
       - 'Remote-User'
       - 'Remote-Groups'
       - 'Remote-Email'

docs/content/integration/prologue/get-started.md

@@ -114,6 +114,6 @@ We consider it important to do several things in moving to a production environm
    to your requirements.
 3. Review the [Security Measures](../../overview/security/measures.md) and
    [Threat Model](../../overview/security/threat-model.md) documentation.
-4. Ensure you have reviewed the [Forwarded Headers](../proxies/fowarded-headers/index.md) documentation to ensure your
+4. Ensure you have reviewed the [Forwarded Headers](../proxies/forwarded-headers/index.md) documentation to ensure your
    proxy is not allowing insecure headers to be passed to *Authelia*.
 5. Review the other [Configuration Options](../../configuration/prologue/introduction.md).

docs/content/integration/proxies/caddy.md

@@ -26,9 +26,9 @@ __Authelia__ offers integration support for the official forward auth integratio
 officially support any plugin that supports this though we don't specifically prevent such plugins working and there may
 be plugins that work fine provided they support the forward authentication specification correctly.
 
-*__Important:__ When using these guides it's important to recognize that we cannot provide a guide for every possible
-method of deploying a proxy. These guides show a suggested setup only and you need to understand the proxy
-configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
+*__Important:__ When using these guides, it's important to recognize that we cannot provide a guide for every possible
+method of deploying a proxy. These guides show a suggested setup only, and you need to understand the proxy
+configuration and customize it to your needs. To-that-end, we include links to the official proxy documentation
 throughout this documentation and in the [See Also](#see-also) section.*
 
 ## Get started
@@ -90,7 +90,7 @@ following are the assumptions we make:
     * Authelia is on a different host to the proxy
 * All services are part of the `example.com` domain:
   * This domain and the subdomains will have to be adapted in all examples to match your specific domains unless you're
-    just testing or you want ot use that specific domain
+    just testing or you want to use that specific domain
 
 ## Implementation
 
@@ -148,7 +148,7 @@ nextcloud.example.com {
                 ## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest
                 ## this is configured in the Session Cookies section of the Authelia configuration.
                 # uri /api/authz/forward-auth?authelia_url=https://auth.example.com/
-                copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
+                copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
 
                 ## This import needs to be included if you're relying on a trusted proxies configuration.
                 import trusted_proxy_list
@@ -190,7 +190,7 @@ example.com {
         handle @nextcloud {
                 forward_auth authelia:9091 {
                         uri /api/authz/forward-auth?authelia_url=https://example.com/authelia/
-                        copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
+                        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
 
                         ## This import needs to be included if you're relying on a trusted proxies configuration.
                         import trusted_proxy_list
@@ -247,8 +247,6 @@ nextcloud.example.com {
                 ##   2. Copy the relevant headers from the auth request and provide them to the backend.
                 @good status 2xx
                 handle_response @good {
-                        request_header Authorization {http.reverse_proxy.header.Authorization}
-                        request_header Proxy-Authorization {http.reverse_proxy.header.Proxy-Authorization}
                         request_header Remote-User {http.reverse_proxy.header.Remote-User}
                         request_header Remote-Groups {http.reverse_proxy.header.Remote-Groups}
                         request_header Remote-Email {http.reverse_proxy.header.Remote-Email}
@@ -276,4 +274,4 @@ nextcloud.example.com {
 [Caddy Snippet]: https://caddyserver.com/docs/caddyfile/concepts#snippets
 [Caddy Forward Auth Documentation]: https://caddyserver.com/docs/caddyfile/directives/forward_auth
 [Caddy Trusted Proxies Documentation]: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#trusted_proxies
-[Forwarded Headers]: fowarded-headers
+[Forwarded Headers]: forwarded-headers

docs/content/integration/proxies/envoy.md

@@ -21,9 +21,9 @@ seo:
 
 [Envoy] is supported by __Authelia__.
 
-*__Important:__ When using these guides it's important to recognize that we cannot provide a guide for every possible
-method of deploying a proxy. These guides show a suggested setup only and you need to understand the proxy
-configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
+*__Important:__ When using these guides, it's important to recognize that we cannot provide a guide for every possible
+method of deploying a proxy. These guides show a suggested setup only, and you need to understand the proxy
+configuration and customize it to your needs. To-that-end, we include links to the official proxy documentation
 throughout this documentation and in the [See Also](#see-also) section.*
 
 ## Get started
@@ -64,7 +64,7 @@ following are the assumptions we make:
     * Authelia is on a different host to the proxy
 * All services are part of the `example.com` domain:
   * This domain and the subdomains will have to be adapted in all examples to match your specific domains unless you're
-    just testing or you want ot use that specific domain
+    just testing or you want to use that specific domain
 
 ## Implementation
 
@@ -244,8 +244,6 @@ static_resources:
                         authorization_response:
                           allowed_upstream_headers:
                             patterns:
-                              - exact: 'authorization'
-                              - exact: 'proxy-authorization'
                               - prefix: 'remote-'
                               - prefix: 'authelia-'
                           allowed_client_headers:
@@ -307,4 +305,4 @@ layered_runtime:
 * [Forwarded Headers]
 
 [Envoy]: https://www.envoyproxy.io/
-[Forwarded Headers]: fowarded-headers
+[Forwarded Headers]: forwarded-headers

docs/content/integration/proxies/haproxy.md

@@ -22,9 +22,9 @@ seo:
 
 [HAProxy] is a reverse proxy supported by __Authelia__.
 
-*__Important:__ When using these guides it's important to recognize that we cannot provide a guide for every possible
-method of deploying a proxy. These guides show a suggested setup only and you need to understand the proxy
-configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
+*__Important:__ When using these guides, it's important to recognize that we cannot provide a guide for every possible
+method of deploying a proxy. These guides show a suggested setup only, and you need to understand the proxy
+configuration and customize it to your needs. To-that-end, we include links to the official proxy documentation
 throughout this documentation and in the [See Also](#see-also) section.*
 
 ## Get started
@@ -93,7 +93,7 @@ following are the assumptions we make:
     * Authelia is on a different host to the proxy
 * All services are part of the `example.com` domain:
   * This domain and the subdomains will have to be adapted in all examples to match your specific domains unless you're
-    just testing or you want ot use that specific domain
+    just testing or you want to use that specific domain
 
 ## Implementation
 
@@ -226,7 +226,7 @@ frontend fe_http
     http-request set-header X-Forwarded-URI    %[path]%[var(req.questionmark)]%[query]
 
     # Protect endpoints with haproxy-auth-request and Authelia
-    http-request lua.auth-intercept be_authelia /api/authz/forward-auth HEAD * authorization,proxy-authorization,remote-user,remote-groups,remote-name,remote-email - if protected-frontends
+    http-request lua.auth-intercept be_authelia /api/authz/forward-auth HEAD * remote-user,remote-groups,remote-name,remote-email - if protected-frontends
     http-request deny if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 403 }
     http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
 
@@ -303,7 +303,7 @@ frontend fe_http
     http-request set-header X-Forwarded-URI    %[path]%[var(req.questionmark)]%[query]
 
     # Protect endpoints with haproxy-auth-request and Authelia
-    http-request lua.auth-intercept be_authelia_proxy /api/authz/forward-auth HEAD * authorization,proxy-authorization,remote-user,remote-groups,remote-name,remote-email - if protected-frontends
+    http-request lua.auth-intercept be_authelia_proxy /api/authz/forward-auth HEAD * remote-user,remote-groups,remote-name,remote-email - if protected-frontends
     http-request deny if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 403 }
     http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
 
@@ -347,4 +347,4 @@ backend be_heimdall
 * [Forwarded Headers]
 
 [HAproxy]: https://www.haproxy.org/
-[Forwarded Headers]: fowarded-headers
+[Forwarded Headers]: forwarded-headers