For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

James_Thomson's avatar
James_Thomson
Icon for Employee rankEmployee
Jan 06, 2005

Make sure client cert data passed in header to server isn't coming from client?

When BigIP is configured for client side certs and is extracting fields from the client cert and placing them in http headers to pass downstream, does it have any way of determining or checking that t...
application delivery
dev
devops
iRules
bl0ndie_127134's avatar
bl0ndie_127134
Historic F5 Account
Jan 07, 2005
You can use the rule 
HTTP::header sanitize [allowed header names]
to create a white list of headers and strip out all but those headers from the request or response. Note that the rule will not remove the essential/required HTTP headers. 

set allowed_headers {goodHeader1 goodHeader2 goodHeader2} 
 HTTP::header sanitize $allowed_headers

The previous example works well if know all the allowed headers ahead of time. Here is a slightly longer version that sanitizes using a black list of headers. 

set http_headers [HTTP::header names] 
 for { } { 1 } { } { 
    set index [lsearch $http_headers "badHeader"] 
    if {$index != -1} { 
        set http_headers [lreplace $http_headers $index $index ]  
    } 
    else { 
        break 
     } 
 } 
  
 HTTP::header sanitize $header_names