Add support for custom HTTP headers in tile requests #383
Description
Feature Description
Use Case:
I'm serving PMTiles with TOTP-based authentication for security. Currently, I'm passing the token as a URL query parameter (?token=123456), but this
is suboptimal because:
- Security: Tokens appear in logs, browser history, and cache keys
- Caching: Each token rotation creates new cache entries, reducing cache efficiency
- Best Practice: Authentication tokens should be sent via headers (e.g., Authorization or X-Map-Token)
Requested Feature:
Add support for custom HTTP headers when fetching tiles from tile sources (PMTiles, raster, vector). This would allow:
MapLibreMap(
styleString: styleJson,
tileRequestHeaders: {
'X-Map-Token': totpToken,
'Authorization': 'Bearer $token',
},
)Benefits:
- Tokens excluded from URLs (better security, cleaner logs)
- Improved cache efficiency (cache key based on URL, not token)
- Follows HTTP authentication best practices
- Enables proper CDN caching with authenticated tiles
Current Workaround:
Using query parameters (/tiles.pmtiles?token=123456), which works but has the limitations mentioned above.
Sample Use Case
MapLibreMap(
styleString: styleJson,
tileRequestHeaders: {
'X-Map-Token': totpToken,
'Authorization': 'Bearer $token',
},
)Existing Alternatives or Workarounds
Using query parameters (/tiles.pmtiles?token=123456), which works but has the limitations mentioned above.
Additional Context
No response