These steps should be carried out to raise the security level in HTTP Header security for a given web application controlled by NetScaler.
We will be utilizing NetScaler AppExpert and Rewrite engine to meet the objectives.
Note. Always implement in a test environment, to verify the impact of this change before moving configuration change to Production.
Configuration Guideline – Remove sensible header info from web server
In most scenarios there is no need for web servers to expose the application versions, platform etc.
These policies should be bound in Rewrite Response.
1 2 3 4 5 6 7 |
#### Removal of insecure HTTP Response Headers add policy patset PatSetRemoveHeaders bind policy patset PatSetRemoveHeaders Server -index 6 bind policy patset PatSetRemoveHeaders X-Powered-By -index 7 bind policy patset PatSetRemoveHeaders X-AspNet-Version -index 8 add rewrite action rw-act-remove-http-headers delete_all HTTP.RES.FULL_HEADER -search "patset(\"PatSetRemoveHeaders\")" add rewrite policy rw-pol-remove-insecure-headers "HTTP.RES.FULL_HEADER.CONTAINS_ANY(\"PatSetRemoveHeaders\")" rw-act-remove-http-headers |
Configuration Guideline – Add secure HTTP headers
Security headers can be verified by using this web site:
SecurityHeaders.io
These policies should be bound in Rewrite Request.
1 2 3 4 5 6 7 8 9 10 |
#### Add secure HTTP Response Headers add rewrite action rw-act-insert-XFrame-header insert_http_header X-Frame-Options "\"SAMEORIGIN\"" add rewrite action rw-act-insert-XSS-header insert_http_header X-Xss-Protection "\"1; mode=block\"" add rewrite action rw-act-insert-XContent-header insert_http_header X-Content-Type-Options "\"nosniff\"" add rewrite action rw-act-insert-STS-header insert_http_header Strict-Transport-Security "\"max-age=157680000\"" add rewrite policy rw-pol-enforce-XFrame TRUE rw-act-insert-XFrame-header add rewrite policy rw-pol-enforce-XSS TRUE rw-act-insert-XSS-header add rewrite policy rw-pol-enforce-XContent TRUE rw-act-insert-XContent-header add rewrite policy rw-pol-enforce-STS TRUE rw-act-insert-STS-header |