The Visual Builder Cloud Service Blog

Secure Static Headers for Visual Builder Service Connections

Aparna Gaonkar
Product Manager

In Visual Builder 19.1.3 we introduced a new feature for Service connections – Secure Static Headers.  With this, we can now add header parameters to the Service connections which will only be applied securely from the VB server side and never be brought to the browser/client end.

In a previous blog post , we discussed about the two broad strategies to connect to external Services from Visual Builder – Direct or Proxy.  In the Proxy method, we rely on the VB server side proxy to pass on our request to the external service with the appropriate authentication applied.  The credentials (client id/secret etc.) or the final Authorization header that is applied are never brought to the browser/client end.


What if there were other headers that we needed to pass to the service in this fashion?  For example – take the case of a service that has a special header called X-System-API-Key which needs to be transmitted securely.  In this case, the header can be added as a Secure Static Header.

Another case could be systems where the Authorization header is given as a long lived Bearer token or a special key.  For example, Oracle Mobile Hub REST API has one such authentication option called the Anonymous key (shown in the below figure) which needs to be passed to the calling service as “Basic <AnonymousKey>” (See OMH documentation for more details).  We require two things to connect to an OMH backend REST API in this manner - the Anonymous key and the Backend ID.

We can configure this in Visual Builder with Secure Static Headers.  You might have noted that Visual Builder gives you the flexibility of defining headers either at the Service level, or at individual Endpoint level.  If a particular header parameter is defined at Service level, it is applicable to all the Endpoints that are added to the Service (and saves you from the hassle of repeating this configuration for all endpoints).  The option of defining Secure Static Headers is only at the Service level for now.

Below are the steps for connecting to an Oracle Mobile Hub Backend API with the Anonymous key using Visual Builder’s Secure Static headers functionality:

  1. Create a Service Connection by using “Define by Endpoint” flow. 

  2. For authentication, we are not given a username and password by Oracle Mobile Hub, but rather a string (“Basic <AnonymousKey>”), hence we would choose “Enable authentication/proxy” and choose “None” (and later add the Authorization as a secure static header).  Note we will not be able to add secure static headers just right now, because the options displayed in this flow are only to add headers at endpoint level

  3. Navigate to Response tab and provide an empty response body “{}” for now

  1. Create the Service Connection

  2. Open the newly created Service Connection, navigate to the Headers tab.  This now shows you a list of the Service level headers (which is empty in our case).  Add the following:

  • Authorization header as a Secure Static header with the value “Basic <AnonymousKey>” obtained from OMH settings.  
  • Oracle-mobile-backend-id as a Static header with the value of the <BackendId> obtained from the OMH settings.

  1. Now navigate to Endpoints, choose the required endpoint (/dummy in this example).  Navigate to the Test tab corresponding to this endpoint and test the service.  This should now give a successful result.

  1. Use the test response as an example by clicking on “Copy to Response Body”


Now this Service Connection is ready to be used in applications.  For adding another endpoint, simply go to the Service Connection -> Endpoints and add another Endpoint.  You will not need to add any Authorization / Oracle-Mobile-Backend-Id headers now, as they were already defined at the Service level.


Some additional points to note:

  • The example of Oracle Mobile Hub using Anonymous key is only used as an illustration for Secure Static headers.  You can very well configure an Oracle Mobile Hub REST API with Basic Auth/Client Credentials/Resource Owner Password authentication as well

  • “None” is the only authentication mechanism that allows you to define a static Authorization header.  If you try to use this with “Basic” for example, the hardcoded static Authorization header will be ignored, and whatever is set in the Authentication tab (Username / Password) will take precedence.



Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.