NetScaler Security – HTTP Headers

These steps should be carried out to raise the security level in HTTP Header security for a given web application controlled by NetScaler.

We will be utilizing NetScaler AppExpert and Rewrite engine to meet the objectives.
Note. Always implement in a test environment, to verify the impact of this change before moving configuration change to Production.

Configuration Guideline – Remove sensible header info from web server

In most scenarios there is no need for web servers to expose the application versions, platform etc.

These policies should be bound in Rewrite Response.

#### Removal of insecure HTTP Response Headers
add policy patset PatSetRemoveHeaders
bind policy patset PatSetRemoveHeaders Server -index 6
bind policy patset PatSetRemoveHeaders X-Powered-By -index 7
bind policy patset PatSetRemoveHeaders X-AspNet-Version -index 8
add rewrite action rw-act-remove-http-headers delete_all HTTP.RES.FULL_HEADER -search "patset(\"PatSetRemoveHeaders\")"
add rewrite policy rw-pol-remove-insecure-headers "HTTP.RES.FULL_HEADER.CONTAINS_ANY(\"PatSetRemoveHeaders\")" rw-act-remove-http-headers

#### Removal of insecure HTTP Response Headers

add policy patset PatSetRemoveHeaders

bind policy patset PatSetRemoveHeaders Server -index 6

bind policy patset PatSetRemoveHeaders X-Powered-By -index 7

bind policy patset PatSetRemoveHeaders X-AspNet-Version -index 8

add rewrite action rw-act-remove-http-headers delete_all HTTP.RES.FULL_HEADER -search "patset(\"PatSetRemoveHeaders\")"

add rewrite policy rw-pol-remove-insecure-headers "HTTP.RES.FULL_HEADER.CONTAINS_ANY(\"PatSetRemoveHeaders\")" rw-act-remove-http-headers

Configuration Guideline – Add secure HTTP headers

Security headers can be verified by using this web site:
SecurityHeaders.io

These policies should be bound in Rewrite Request.

#### Add secure HTTP Response Headers

add rewrite action rw-act-insert-XFrame-header insert_http_header X-Frame-Options "\"SAMEORIGIN\""
add rewrite action rw-act-insert-XSS-header insert_http_header X-Xss-Protection "\"1; mode=block\""
add rewrite action rw-act-insert-XContent-header insert_http_header X-Content-Type-Options "\"nosniff\""
add rewrite action rw-act-insert-STS-header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy rw-pol-enforce-XFrame TRUE rw-act-insert-XFrame-header
add rewrite policy rw-pol-enforce-XSS TRUE rw-act-insert-XSS-header
add rewrite policy rw-pol-enforce-XContent TRUE rw-act-insert-XContent-header
add rewrite policy rw-pol-enforce-STS TRUE rw-act-insert-STS-header

#### Add secure HTTP Response Headers

add rewrite action rw-act-insert-XFrame-header insert_http_header X-Frame-Options "\"SAMEORIGIN\""

add rewrite action rw-act-insert-XSS-header insert_http_header X-Xss-Protection "\"1; mode=block\""

add rewrite action rw-act-insert-XContent-header insert_http_header X-Content-Type-Options "\"nosniff\""

add rewrite action rw-act-insert-STS-header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite policy rw-pol-enforce-XFrame TRUE rw-act-insert-XFrame-header

add rewrite policy rw-pol-enforce-XSS TRUE rw-act-insert-XSS-header

add rewrite policy rw-pol-enforce-XContent TRUE rw-act-insert-XContent-header

add rewrite policy rw-pol-enforce-STS TRUE rw-act-insert-STS-header

Configuration Guideline – Remove sensible header info from web server

Configuration Guideline – Add secure HTTP headers

Leave a Reply Cancel reply