In most cases, there is an upper-limit of 30 seconds imposed by the app server
or Nginx. If your requests are taking this long, you should probably be looking
into other options to lower the response time.
Middleware for request tracing
We set a unique header at the cache level called Govuk-Request-Id, and also
set a header called Govuk-Original-Url to identify the original URL
requested. If apps make API requests in order to serve a user’s request, they
should pass on these headers, so that requests can be traced across the entire
The GdsApi::GovukHeaderSniffer middleware takes care of this. This gem
contains a railtie that configures this middleware for Rails apps without extra
effort. Other Rack-based apps should opt-in by adding these lines to your
use GdsApi::GovukHeaderSniffer, 'HTTP_GOVUK_REQUEST_ID'
use GdsApi::GovukHeaderSniffer, 'HTTP_GOVUK_ORIGINAL_URL'
Middleware for identifying authenticated users
Applications can make use of user-based identification for additional
authorisation when making API requests. Any application that is using gds-sso
for authentication can set an additional header called
‘X-Govuk-Authenticated-User’ to identify the currently authenticated user ID.
This will automatically be picked up by the GdsApi::GovukHeaderSniffer
middleware in Rails applications and sent with API requests so that the
downstream service can optionally use the identifier to perform authorisation
on the request. This will be used by content-store as a mechanism to only
return access-limited content to authenticated and authorised users.
There are also test helpers for stubbing various requests in other apps.