Forum Discussion

Nick_T_68319's avatar
Nick_T_68319
Icon for Nimbostratus rankNimbostratus
Jun 22, 2011

Best way to clean up HTTP headers, sanitize or Response Headers Allowed?

I want to remove a bunch of the IIS headers that don't need to be shared, what is the better way to do it?

 

 

Use the sanitize function in an Irule?

 

 

 

Or in the HTTP profile use the "Response Headers Allowed" field?

 

 

 

Is there any advantage or disadvantage to either one? They seem like they do the same thing.

 

app sec
BIG-IP Access Policy Manager (APM)
security
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 23, 2011
    Hi Nick,

     

     

    In general if you can use default configuration options it will be more efficient than an iRule. I'd try the HTTP profile option for Response Headers Allowed to do this. It's a bit more clear of a solution as well as the HTTP::header sanitize function allows some headers but not all essential ones. With the HTTP profile, you'll see exactly which ones are allowed as they all need to be enumerated.

     

     

    Aaron
  • Nick_T_68319's avatar
    Nick_T_68319
    Icon for Nimbostratus rankNimbostratus
    Jun 23, 2011
    Posted By hoolio on 06/22/2011 10:07 PM Perfect, that's what I was hoping for. Plus it's much easier to apply the response headers allowed globally in my environment :) Hi Nick,

     

     

    In general if you can use default configuration options it will be more efficient than an iRule. I'd try the HTTP profile option for Response Headers Allowed to do this. It's a bit more clear of a solution as well as the HTTP::header sanitize function allows some headers but not all essential ones. With the HTTP profile, you'll see exactly which ones are allowed as they all need to be enumerated.

     

     

    Aaron