I’ve been using the request template for a while and have noticed that the substitution of header value with non-secure iparams and context works well.
Whereas, substitution with secure iparam does not work.
Here’s a screenshot of the documentation where it is mentioned that secure iparam substitution is allowed in request header values.
To add on to what @Sudarsana_Raghavan mentioned, in the iparams page we don’t allow secure or non secure iparam values instead you would have to use context.
Yes, iparam is the correct way of working with it. Thanks for getting this to our attention. We will recheck and update it.
About the ticket sidebar placeholder app, can you share the app so that we can understand which Request Template and how the substitutions are made so that we can test it better.
Thanks for pointing that out in the sample app. As @zach_jones_noel mentioned, could you please share the app so that we can check this from our end? I made a sample request from the ticket side_bar and I am able to substitute secure iparams in the headers.
I observed that you are trying to access a secure iparam in the host <%= iparam. secureConfigs.i0.host %>". I missed this from your snippet earlier - from the documentation, we allow only non-secure iparams in the host. I suspect that this might be the reason for the issue you are facing. Could you please try fetching the host from a non-secure iparam and let us know if you still face the template substitution issue?
We wanted to avoid the loophole where an intruder uses the secure iparam to replace host that can throw an error like : ‘Unable to resolve host <secure_iparam_value>’ and leak the value. So, we went ahead with this.