Forum Discussion
CirrusHTTP Header not detected
Hello All,
We have got vulnerability " HTTP header not detected " for few of our F5 webtop URL .Do we know how we can fix this .? Do we have irule which can be applied to fix this ?
These URL hosted on f5 APM
Thanks
Jad_Tabbara__J1Cirrostratus
Hello Puluck,
How did you detect this vulnerability ? If using a known vulnerability scanner such as Qualys or other, could you add the description given by the editor for this vulnerability...
Indeed it will help us to give you the best manner to treat this.
APM has by default security options such as the "Secure" & "HTTP Only" flags for cookie headers.
Once we know why the scanner is raising this vulnerability we can add more security headers to enforce your webtop.
Regards
Ashwin_VenkatEmployee
This sounds like it's coming from Qualys and it's complaining about certain HTTP headers like X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, CSP etc headers being missing from the HTTP response. You can add them all via an iRule to tighten the security headers and it's covered in great detail here:
Part 1: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-1-27511 Part 2: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-2-27512 Part 3: https://devcentral.f5.com/articles/tightening-the-security-of-http-traffic-part-3-27702