Forum Discussion
James_Thomson
Employee
EmployeeMake sure client cert data passed in header to server isn't coming from client?
When BigIP is configured for client side certs and is extracting fields from the client cert and placing them in http headers to pass downstream, does it have any way of determining or checking that the headers it passed are the ones it generated and not something that somehow got passed thru the box?
For example, if I had a rule that would search client certificate information and pull out the username and DN and then create an http header called "myheader" and insert that data in there, could I preface that rule with a piece that should first, check to see if someone is trying to send an http header "myheader" and delete it if it exists?
Would it be easier to create an http profile and just have it erased there?
2 Replies
- You can use the rule
to create a white list of headers and strip out all but those headers from the request or response. Note that the rule will not remove the essential/required HTTP headers.HTTP::header sanitize [allowed header names]set allowed_headers {goodHeader1 goodHeader2 goodHeader2} HTTP::header sanitize $allowed_headers
The previous example works well if know all the allowed headers ahead of time. Here is a slightly longer version that sanitizes using a black list of headers.set http_headers [HTTP::header names] for { } { 1 } { } { set index [lsearch $http_headers "badHeader"] if {$index != -1} { set http_headers [lreplace $http_headers $index $index ] } else { break } } HTTP::header sanitize $header_names - I guess doing it with an http profile would be efficient:
profile http FP_http {
defaults from http
header erase "myheader"
}
