Forum Discussion
MattNears
Nimbostratus
NimbostratusHTTP Header responce problem
Good Morning,
I have an issue with some of my response headers and an irule for replacing certain responses. The rule I have below is set agains a number of our sites but when running a header response scan some of the comments don't seem to be respected. For example the "Server" and "X-Powered-By" still come back with the actual server and IIS details. Am I missing something or have I go the argument wrong?
BTW I've new with F5's and still learning how to create these syntax so appologese if I ask what seem like dumb questions, thank in advance.
when HTTP_RESPONSE {
foreach mycookie [HTTP::cookie names] {
HTTP::cookie secure $mycookie enable
}
if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
if { !([ HTTP::header exists "X-Powered-By" ])} { HTTP::header insert "X-Powered-By" "Server" }
if { !([ HTTP::header exists "Server" ])} { HTTP::header insert "Server" "A-Server" }
if { !([ HTTP::header exists "Cache-Control" ])} { HTTP::header insert "Cache-Control" "no-cache" }
if { !([ HTTP::header exists "X-XSS-Protection" ])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "nosniff" }
if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15768000" }
}
Hi MattNears,
If server's response contains "Server" header or "X-Powered-By" header or other headers in the iRule, "Server" and "X-Powered-By" headers will come back with the actual server and IIS details. You should use "else" blocks and HTTP::header replace command.
if { !([HTTP::header exists "Server"]) } { HTTP::header insert "Server" "A-Server" } else { HTTP::header replace "Server" "A-Server" }
Hi MattNears,
If server's response contains "Server" header or "X-Powered-By" header or other headers in the iRule, "Server" and "X-Powered-By" headers will come back with the actual server and IIS details. You should use "else" blocks and HTTP::header replace command.
if { !([HTTP::header exists "Server"]) } { HTTP::header insert "Server" "A-Server" } else { HTTP::header replace "Server" "A-Server" }
MattNearsThanks, that makes sense now, I'd not realised you could combine with else statements.
- MattNears
As a side note to the above I do occasionally have issues where the set secure cookie comes back with a "no prefix" and "not a samesite" cookie error,
Set-CookieASP.NET_SessionId=br3sthsomuihmjyey4xkqmh5; path=/; HttpOnly;Secure
do I need to adjust the first line so all cookies are set as secure?
- MattNears
Just to resurect this thread a little and ask a new question, I managed to resolve me Secure cookie issue, found it in the cookie persistence profice and have that now working nicely.
My new issue seems to be on if { !([ HTTP::header exists "X-AspNet-Version" ])} {HTTP::header remove "X-AspNet-Version" } not working and removing the header as it should. Now I did consider switching it and adding an arguement to insert a ficticious value anf then use else and remove but this hasn't worked either. I'm sure I'm missing something but just struggling to work out what I've missed.
Any advice will be wlecome here.
