We have got vulnerability " HTTP header not detected " for few of our F5 webtop URL .Do we know how we can fix this .? Do we have irule which can be applied to fix this ?
These URL hosted on f5 APM
How did you detect this vulnerability ? If using a known vulnerability scanner such as Qualys or other, could you add the description given by the editor for this vulnerability...
Indeed it will help us to give you the best manner to treat this.
APM has by default security options such as the "Secure" & "HTTP Only" flags for cookie headers.
Once we know why the scanner is raising this vulnerability we can add more security headers to enforce your webtop.
It was detected by secure works ,we have tried writing irule which have inserted few header but when we have written irule to insert header for CSP ,issues got reported stating that contents was not getting loaded .
Could you post the irule here ?
Issues are reported on your Browser or the F5 ? could you describe/share more...
Maybe the browser does not support CSP or maybe your are giving wrong value in the CSP header.
Have you tried to use the Same Origin/Cross Origin Policies instead of the Content Security Policy ?
This sounds like it's coming from Qualys and it's complaining about certain HTTP headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, CSP etc headers being missing from the HTTP response. You can add them all via an iRule to tighten the security headers and it's covered in great detail here:
Part 1: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-1-27511
Part 2: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-2-27512
Part 3: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-3-27702