Forum Discussion
Hi Doke,
there isn't much room to protect against HEIST on the F5 level...
-
Adding a random length HTTP::header value to each HTTP response, or using dynamic windows sizes will "just" slow down the HEIST attack. The lenght differences of your responses must be very huge to make this technique even effective (e.g. a 1 to 50kbyte header padding makes the attack just ~50.000 times slower but still not impossible).
-
Disabling GZIP and SSL compression will mitigate the most feared attack vectors of the HEIST technique (aka. defending the Crime and BREACH style attacks).
In the end its far more effective to...
-
Pentest your web applications and keep an eye on external accesible functions without CSRF protection or function that can be used for request reflections.
-
Disalow 3rd Party Cookies in your internal users browser and/or recommend your customers to secure their systems (as always :-)
Cheers, Kai