Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Server Resource Cloaking

Problem this snippet solves:

This iRule illustrates how to "hide" server specifics from snooping clients.

This iRule is used to clean the Web server signatures so that unwanted information is not transmitted to hackers who are attempting to fingerprint the application and servers which run on your Web site. The alternative to cloaking is to attempt to police and clean information being sent out by various applications - creating significant management overhead. This rule removes all of the non-essential headers that are not in the inclusion list.

when HTTP_RESPONSE {
  #
  # Remove all but the given headers.
  #
  HTTP::header sanitize "ETag" "Content-Type" "Connection"
}

Note: The above rule will prevent most session-based applications from working, as the Set-Cookie header will be removed. It will also break caching. It could also break authentication.

Also, as the HTTP::header sanitize function doesn't actually remove all headers, it would be more appropriate to either create a white list or black list of headers and use HTTP::header remove to strip out the headers. Below is an example which removes a black list of headers. You might want to also consider removing only the Server, Date and headers starting with X-.