Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HTTP Header not detected

Hello All,

We have got vulnerability " HTTP header not detected " for few of our F5 webtop URL .Do we know how we can fix this .? Do we have irule which can be applied to fix this ?

These URL hosted on f5 APM

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Puluck,

How did you detect this vulnerability ? If using a known vulnerability scanner such as Qualys or other, could you add the description given by the editor for this vulnerability...

Indeed it will help us to give you the best manner to treat this.

APM has by default security options such as the "Secure" & "HTTP Only" flags for cookie headers.

Once we know why the scanner is raising this vulnerability we can add more security headers to enforce your webtop.

Regards

1
Comments on this Answer
Comment made 14-Jan-2018 by puluck 210

It was detected by secure works ,we have tried writing irule which have inserted few header but when we have written irule to insert header for CSP ,issues got reported stating that contents was not getting loaded .

0
Comment made 15-Jan-2018 by Jad Tabbara (JTI) 2360

Could you post the irule here ?

Issues are reported on your Browser or the F5 ? could you describe/share more...

Maybe the browser does not support CSP or maybe your are giving wrong value in the CSP header.

Have you tried to use the Same Origin/Cross Origin Policies instead of the Content Security Policy ?

Regards

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This sounds like it's coming from Qualys and it's complaining about certain HTTP headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, CSP etc headers being missing from the HTTP response. You can add them all via an iRule to tighten the security headers and it's covered in great detail here:

Part 1: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-1-27511
Part 2: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-2-27512
Part 3: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-3-27702
0