Illegal HTTP status in response with CDN

Hi Poka,

I understand that you use ASM functionnality "Allowed Response Status Codes".

If a response contains a response status code from 4xx to 5xx that is not on the list, the system issues the violation, Illegal HTTP status in response. If you configured the security policy to block this violation, the system blocks the response with a specific message.

This functionnality allow you to avoid sensitive info leak...

What do you mean about "The CDN team is recommending to relax these rules"? did the CDN team whant that you don't use "Allowed Response Status Codes"? and let unwanted stats code to be released?

In all case, the priority is to secure its application given the attacks that continue to grow. because if you relax these rules (so show status code error and body) you will fall in Information Disclosure Issues. I'am agree that these information (These type of issues) are not exploitable in most cases, but are considered as web application security issues because they allows attackers to gather information which can be used later in the attack lifecycle, in order to achieve more than they could if they didn’t get access to such information.

the question to ask is what is the benefit of relaxing these errors for the CDN. especially that such kind of error are rare and not frequent

regards

Hi Poka, if by "masking" you mean ASM Blocking page responding with HTTP 200 when the request is blocked by ASM Policy, then the solution can be easier. ASM blocking response page by default has HTTP Response Code 200, you have 2 options:

1) change the ASM Blocking Response page from HTTP 200 to another code which will not be masked - people most frequently change ASM response code to 403 Forbidden or to 503 Service Unavailable - 4xx and 5xx are not cached by CDN

2) leave ASM Blocking Response Page response code as 200 but add header:

Cache-Control: no-cache

to the ASM blocking response page, this will instruct CDN not to cache the blocking page.

I hope this helps,

Sam