HTTP Header not detected

Question

Hello All,&nbsp;
We have got vulnerability " HTTP header not detected " for few of our F5 webtop URL .Do we know how we can fix this .? Do we have irule which can be applied to fix this ?&nbsp;
These URL hosted on f5 APM &nbsp;
Thanks &nbsp;

jad_tabbara__j1 · Answer

Hello Puluck, &nbsp;
How did you detect this vulnerability ? If using a known vulnerability scanner such as Qualys or other, could you add the description given by the editor for this vulnerability... &nbsp;
Indeed it will help us to give you the best manner to treat this.&nbsp;
APM has by default security options such as the "Secure" &amp; "HTTP Only" flags for cookie headers. &nbsp;
Once we know why the scanner is raising this vulnerability we can add more security headers to enforce your webtop. &nbsp;
Regards&nbsp;

ashwin_venkat · Answer

This sounds like it's coming from Qualys and it's complaining about certain HTTP headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, CSP etc headers being missing from the HTTP response.  You can add them all via an iRule to tighten the security headers and it's covered in great detail here:
Part 1: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-1-27511
Part 2: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-2-27512
Part 3: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-3-27702

Forum Discussion

HTTP Header not detected

2 Replies

Recent Discussions

Azure SAML - F5 APM

iRule resulting in too many redirects

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

Related Content

Re: F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP header

Log Http Headers

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Revocation Status in HTTP Request Header

SSL Orchestrator Advanced Use Cases: DNS-over-HTTPS Detection