From 0e76e1b968d21c98eb1b1e9f8947d0775e1daa11 Mon Sep 17 00:00:00 2001
From: Johnson Shi <13926417+johnsonshi@users.noreply.github.com>
Date: Sun, 7 Jun 2026 10:33:51 -0700
Subject: [PATCH 1/2] Add MDC source-client header values and clarify header
 usage scope

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/http-headers.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/http-headers.md b/docs/http-headers.md
index f2eeeef4..02a6e1b5 100644
--- a/docs/http-headers.md
+++ b/docs/http-headers.md
@@ -66,3 +66,17 @@ The values we ask ACR partners to use when populating the `X-Meta-Source-Client`
 | VSTS                           | `azure/vsts`                              |
 | ACR Tasks                      | `azure/acr/tasks`                         |
 | ACR Connected Registry         | `azure/acr/connected-registry/instance-1` |
+| Microsoft Defender for Cloud - ACR scanner that pulls images for vulnerability assessment | `azure/mdc/scanner-svc-image-puller`      |
+| Microsoft Defender for Cloud - ACR scanner for registry discovery and metadata            | `azure/mdc/scanner-svc-image-discovery`   |
+| Microsoft Defender for Cloud - Azure DevOps CLI scanner that pulls images                 | `azure/mdc/scanner-ado-cli-image-puller`  |
+
+## How ACR uses this header
+
+The `X-Meta-Source-Client` header is a client-supplied, unauthenticated, and untrusted value. Both Microsoft and non-Microsoft clients can set or modify it freely, and ACR does not validate it during requests. ACR uses this header **only** for telemetry — traffic analysis, aggregation, and attribution of request sources to understand usage patterns. Specifically, ACR does **not** use this header for:
+
+- Authentication or authorization
+- Throttling, rate limiting, or quota calculations or exemptions
+- Request routing or prioritization
+- Any other business or control-plane logic
+
+Likewise, anything that observes or consumes this traffic or its telemetry — service meshes, proxies, gateways, traffic analyzers, monitoring systems, and business analytics dashboards or reports — should not take a trusted dependency on this header's value, since it is self-reported by the client.

From 032b160b984764d549bce02101e559014b38926b Mon Sep 17 00:00:00 2001
From: Johnson Shi <13926417+johnsonshi@users.noreply.github.com>
Date: Thu, 11 Jun 2026 21:22:12 -0700
Subject: [PATCH 2/2] Add MDC image-enrichment source-client value

Adds azure/mdc/scanner-svc-image-enrichment for the Defender for Cloud
container image enrichment workflow, requested by the MDC team during
internal review.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/http-headers.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/http-headers.md b/docs/http-headers.md
index 02a6e1b5..78abaacc 100644
--- a/docs/http-headers.md
+++ b/docs/http-headers.md
@@ -68,6 +68,7 @@ The values we ask ACR partners to use when populating the `X-Meta-Source-Client`
 | ACR Connected Registry         | `azure/acr/connected-registry/instance-1` |
 | Microsoft Defender for Cloud - ACR scanner that pulls images for vulnerability assessment | `azure/mdc/scanner-svc-image-puller`      |
 | Microsoft Defender for Cloud - ACR scanner for registry discovery and metadata            | `azure/mdc/scanner-svc-image-discovery`   |
+| Microsoft Defender for Cloud - ACR scanner for container image enrichment                 | `azure/mdc/scanner-svc-image-enrichment`  |
 | Microsoft Defender for Cloud - Azure DevOps CLI scanner that pulls images                 | `azure/mdc/scanner-ado-cli-image-puller`  |
 
 ## How ACR uses this header