Forum Discussion

Ravi_Kumar_Teli's avatar
Ravi_Kumar_Teli
Icon for Nimbostratus rankNimbostratus
Aug 05, 2019

Need to implement HTTP security headers and Brute Force attack prevention features

I need help on two things.

1) Need to implement HTTP security headers for a URL sub-directories (like https://google.com/photos). We already have iRules in place for main URL but unsure how to create for sub-directories of a URL. I tried adding below iRule but I get "secure connection failed, PR_CONNECT_RESET_ERROR" error when accessing the URL.

 

when HTTP_REQUEST {

       if { ( [string tolower [HTTP::host]] eq "abc.xyz.com" ) and ( [string tolower [HTTP::uri]] eq "/cache_login/login.php" ) } then {

           set insert_csp 1

       } else {

           set insert_csp 0

       }

   }

   when HTTP_RESPONSE {

       if { $insert_csp } then {

           HTTP::header insert "Content-Security-Policy" "script-src 'self'"

       }

   }

 

2) Need Brute Force Attack Prevention. I know this feature is available in ASM but when I followed the steps of video: ASM Demo 28 - Block Brute Force Attacks Targeting a Single Username, I don't see its working for the external web apps. It doesn't block when we try to enter same username with different passwords more than 5 times or so.

ASM Advanced WAF
iRules
security

1 Reply

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Aug 05, 2019

    Answer to question 1:

     

    That irule tests OK, so I'm not sure what the issue is - the PR_CONNECT_RESET_ERROR indicates that the connection was reset which could indicate an irule syntax error - check your LTM log file.

     

    Answer to question 2:

     

    Has your URL been Qualified?

     

    URLS are qualified for captcha or javascript insertion by being accessed correctly 10 times in five minutes, or by manually qualifying the URL

    tmsh modify sys db asm.cs_qualified_urls value <login URL>

     

    For the URL to be qualified for JS challenge, ASM should have seen 10 requests for the URL in the PAST and the response should have had "Content-Type: text/html" and a html tag in the body.