How can Amazon add its own headers when I make HTTPS requests to a web application?
I was playing with httpbin.org to test a client and discovered that some sites will get an header I did not set (X-Amzn-Trace-Id). If I do a curl https://httpbin.org/headers (which will respond with the requested headers), I see the response is:
{
"headers": {
"Accept": "*/*",
"Host": "httpbin.org",
"User-Agent": "curl/8.7.1",
"X-Amzn-Trace-Id": "Root=1-66127890-7529a74840506490285bd85b"
}
}
I googled a bit and found out there is this thing called "HTTPS interception" that lets someone in between to add/edit headers (among other things). I'm wondering how this works. The incriminated header was from Amazon, but Cloudfare does something similar. I verified the server (httpbin.org) certificate and it is legit, so how can someone else tinker with my request?
httpbin.org certificate was issued by Amazon, does this limit the power of Amazon to only "https intercept" to servers that use their certificates?
