AltostratusCan we add the missing headers and remove the RAW headers using an iRule
Missing Headers: Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Feature-Policy
Remove RAW Headers: Server, X-AspNetMvc-Version, X-AspNet-Version, X-Powered-By
MVPHi mahanth,
To add Security headers take a look on this topic : https://devcentral.f5.com/s/articles/security-headers-insertion
https://support.f5.com/csp/article/K04436209
AltostratusThanks Lidev. I have added a few more header and below is the iRule. However, the vulnerability is gone but the webpage doesn't look right (except IE). Not all images on the webpage are being displayed, position of the sign-in section is moved, etc.,
when HTTP_RESPONSE {
if {!([HTTP::header exists "X-Frame-Options"])} {
HTTP::header insert X-Frame-Options "DENY"
}
if {!([HTTP::header exists "Strict-Transport-Security"])} {
HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubdomains"
}
if {!([HTTP::header exists "X-Content-Type-Options"])} {
HTTP::header insert X-Content-Type-Options "nosniff"
}
if {!([HTTP::header exists "Content-Security-Policy"])} {
HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; upgrade-insecure-requests"
}
if {!([HTTP::header exists "Referrer-Policy"])} {
HTTP::header insert Referrer-Policy "strict-origin"
}
if {!([HTTP::header exists "Feature-Policy"])} {
HTTP::header insert Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'"
}
# Remove all instances of the Server header
HTTP::header remove Server
#Remove all headers starting with x-
foreach header_name [HTTP::header names] {
if {[string match -nocase x-* $header_name]}{
HTTP::header remove $header_name
}
}
}