We use a ServiceCallout to send these variables to a dedicated API for Bot Protection.On our API backend both " " are missing (I guess it should be url encoded ?)

How do you construct the request to the service callout? I guess the values of those headers ... they do not get mapped to a header. They are being placed into a JSON payload I suppose? Is that right?

The issue is that the .getVariable() method tries to be helpful. In HTTP, Headers can in general appear multiple times with distinct values, and it's ok for senders (clients or servers) to concatenate the distinct multiple values of the header into a single header line, with the values separated by commas. So these options are defined to be semantically equivalent:

my-header: x
my-header: y

my-header: x, y

Find the relevant spec here.

The Apigee runtime tries to be helpful in exposing each one of those distinct values as its own variable. You can call getVariable() on request.header.my-header.1 for the first value (x), and on request.header.my-header.1 for the second (y). This is documented here. Apigee behavior is by-the-book here; it just splits the entire header value by commas and gives you the piece parts, irrespective of how any quotes or parens or anything else in the header value might imply other framing. If you call getVariable() with request.header.my-header (without the trailing index) for a header with a value that contains one or more commas, by default you get the FIRST value. Not all the values. So in your case, context.getVariable("request.header.Sec-CH-UA") will give you the text value up to the first comma.

There are some cases where you don't want Apigee to do that - you don't want Apigee to treat a header value that contains commas as a multi-valued header. To tell Apigee "just give me the string" , you can use .values.string as the suffix. Eg, context.getVariable("request.header.Sec-CH-UA.values.string").

When I use that form, I see the headers in their entirety, as expected.