Forum Discussion
Yann_Desmarest
Cirrus
Hi,
You can add headers with random length of chars. But At the end, I think that this is not a solution that can effectively prevent HEIST attack because many things : compression, cipher by blocks, etc. that may lead to the same encrypted size.
Today, the only way to really prevent HEIST attack is to disable the use of Third party cookies option in your browser. Disabling this feature may have many other unwanted side effect on the JS apps running.
You should consider a technology like Websafe to prevent this attack.
Yann_Desmarest
Aug 05, 2016Cirrus
If you want to generate a random header, you can use the code below :
when RULE_INIT {
Number of random letters to generate
set static::count 100
Create a list of the letters indexed 0 through 25
set static::letters [ list a b c d e f g h i j k l m n o p q r s t u v w x y z ]
}
when HTTP_RESPONSE {
Initialize a variable to store the random letters in
set random ""
Loop through X times where X is the number of random letters to generate
for { set i 1 } { $i < $static::count } { incr i } {
Generate a random number between 0 and 1, using rand()
Multiply that by 26 to get a number representing a letter
Use int to trim off the decimal value
set rand [expr { int (rand() * 26) }]
append random [lindex $letters $rand]
Or in one command:
append random [lindex $static::letters [expr { int (rand() * 26) }]]
}
HTTP::header insert "RandomHeader" $random
}
code taken from : random letter generator
You can customize values to increase/decrease header value length