From c37469b5ba80363a50cf5a565275a4f526217d53 Mon Sep 17 00:00:00 2001 From: Thibault Sottiaux Date: Mon, 20 Oct 2025 15:04:02 -0700 Subject: [PATCH] docs: clarify responses proxy metadata (#5406) --- codex-rs/responses-api-proxy/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/codex-rs/responses-api-proxy/README.md b/codex-rs/responses-api-proxy/README.md index 31ac9c45..1109271c 100644 --- a/codex-rs/responses-api-proxy/README.md +++ b/codex-rs/responses-api-proxy/README.md @@ -33,8 +33,8 @@ curl --fail --silent --show-error "${PROXY_BASE_URL}/shutdown" - Reads the API key from `stdin`. All callers should pipe the key in (for example, `printenv OPENAI_API_KEY | codex-responses-api-proxy`). - Formats the header value as `Bearer ` and attempts to `mlock(2)` the memory holding that header so it is not swapped to disk. - Listens on the provided port or an ephemeral port if `--port` is not specified. -- Accepts exactly `POST /v1/responses` (no query string). The request body is forwarded to `https://api.openai.com/v1/responses` with `Authorization: Bearer ` set. All original request headers (except any incoming `Authorization`) are forwarded upstream. For other requests, it responds with `403`. -- Optionally writes a single-line JSON file with server info, currently `{ "port": }`. +- Accepts exactly `POST /v1/responses` (no query string). The request body is forwarded to `https://api.openai.com/v1/responses` with `Authorization: Bearer ` set. All original request headers (except any incoming `Authorization`) are forwarded upstream, with `Host` overridden to `api.openai.com`. For other requests, it responds with `403`. +- Optionally writes a single-line JSON file with server info, currently `{ "port": , "pid": }`. - Optional `--http-shutdown` enables `GET /shutdown` to terminate the process with exit code `0`. This allows one user (e.g., `root`) to start the proxy and another unprivileged user on the host to shut it down. ## CLI @@ -50,7 +50,7 @@ codex-responses-api-proxy [--port ] [--server-info ] [--http-shutdow ## Notes - Only `POST /v1/responses` is permitted. No query strings are allowed. -- All request headers are forwarded to the upstream call (aside from overriding `Authorization`). Response status and content-type are mirrored from upstream. +- All request headers are forwarded to the upstream call (aside from overriding `Authorization` and `Host`). Response status and content-type are mirrored from upstream. ## Hardening Details