Forum Discussion

Eric_Van's avatar
Eric_Van
Icon for Nimbostratus rankNimbostratus
Jun 12, 2018

LTM Management UI Security Settings

I'm running several BIG-IP LTM 5250F appliances on v13.1.0.7. After a recent security audit, the following five items were flagged against the web UI management page. Does anyone know if it is possible to modify and remediate any of these items?

 

  1. Autocomplete HTML Attribute Not Disabled for Password Field (suggested remediation: If the "autocomplete" attribute is missing in the "password" field of the "input" element, add it and set it to "off".)

     

  2. Request vulnerable to Cross-site Request Forgery (suggested remediation: The application should implement anti-CSRF tokens into all requests that perform actions which change the application state or which add/modify/delete content.)

     

  3. Missing "X-Content-Type-Options" header (suggested remediation: Configure your server to send the "X-Content-Type-Options" header with value "nosniff" on all outgoing requests.)

     

  4. Missing "X-XSS-Protection" header (suggested remediation: Configure your server to send the "X-XSS-Protection" header with value "1" (i.e. Enabled) on all outgoing requests.)

     

  5. Information Disclosure in Session Cookie [Username] (suggested remediation: Prevent the application from disclosing data or information within the session cookie.)

     

BIG-IP
security
  • mushair's avatar
    mushair
    Icon for Altostratus rankAltostratus
    Jul 29, 2019

    I am having similar issue after security audit. :

     

    Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

     

    X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN".

     

    X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".

     

    Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

     

    Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.

    • mushair's avatar
      mushair
      Icon for Altostratus rankAltostratus
      Jul 29, 2019

      I was able to remediate all my issues with the following irules for each:

       

      Content Security Policy :

      when HTTP_RESPONSE {

         if { !([ HTTP::header exists "content-security-policy " ])} { HTTP::header insert "content-security-policy" "default-src 'self';" } }

       

      X-Frame-Options:

      when HTTP_RESPONSE {

        HTTP::header replace X-Frame-Options "SAMEORIGIN"

      }

       

      X-Content-Type-Options :

      when HTTP_RESPONSE {

       if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options: nosniff" }}

       

      Referrer Policy (this resolved the Feature Policy as well):

      when HTTP_REQUEST {

       switch -glob [HTTP::header "Referer"] {

        "http://www.tssdev.ae.com/*" {

         # Allow Request to go through...

        }

        "" {

         HTTP::respond 200 content ""

        }

        default {

         HTTP::redirect [HTTP::header "Referer"]

        }

       }

      }

       

       

       

      ***for header related tests, check out https://securityheaders.com/" ***