Match authentication header

Hi,

I want do quickly protect an endpoint and thought I could use a header matcher in the VirtualService to do this. I’ve more or less duplicated this example from the docs and done like this:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: istio-ingress
  namespace: some-namespace
spec:
  hosts:
  - "foo.bar.mydomain.com"
  gateways:
  - default-gateway.istio-system.svc.cluster.local
  - gateway-ha.istio-system.svc.cluster.local
  http:
  - match:
    - headers:
        authorization:
          exact: some-unique-string-here
      name: some-name
    route:
    - destination:
        host: my-service

The intention is that clients must set the Authorization header to the same value to be able to call the endpoint, but it doesn’t seem to work. The request goes through even without the header.

Maybe I misunderstand the way header matching works?

If there are other simple ways to achieve something similar (token, basic auth) I’d also like to hear about that.