I need some help trying to figure out why my standard security headers are not being applied to a specific VIP. I am inserting X-FRAME-OPTIONS, X-XSS-PROTECTION,CONTENT-SECURITY-POLICY to all my Virtual Servers using an irule. for all VS they work if you scan the DNS NAME (using nmap or securityheaders.io) but if I scan using the IP all but 1 VS passes (just 1 VIP shows no headers, it does show HSTS which I am applying through a policy though. Any thoughts as to why 1 VIP would behave differently than the others?
It is difficult to say without understanding your configuration - most likely it is configuration mistake somewhere on that VIP. Is it possible that you have 2 VIPs - one listening on port 80 and another on port 443 and you applied iRule just to one of them?
its actually stranger than that. Yes I have applied the same irule to both VIPS (80 and 443), i have also tried setting the headers with a policy and linking it to both VIPS. stilll the headers don't show on port 80. We gave up on having the F5 attach the headers and configured the apache server todo it. so the F5 VIPS are a pure pass through. That did not help with port 80, port 443 was fine. So it seems to be a networking issue and now its a little beyond me so I am looking for other areas to look at.
we are thinking its a false positive because of the redirect to port 443 and the scanners are getting confused.
Is there any possibility that http (80) is being redirected to 443?
I think we figured out that it is the default page on the ASM which has no headers. How do you set default headers in ASM?
You can customize the response page of the Policy and just add those headers to that.
Application Security -> Policy -> Response Page
Then you can change from Default Response to Customized Response.
yes I found that and it is working for all Virtual Servers. I am now looking into response logging.
thank you for all your help the JSP code was getting in the way.