For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DaveC_53879's avatar
DaveC_53879
Icon for Nimbostratus rankNimbostratus
Jul 31, 2012

Removing headers

I know how to insert headers into outbound traffic, but is it possible to remove them using an iRue, or some other mechanism on the F5? We're still running 9.4.6. Specifically;

 

Server : Microsoft-IIS/7.5

 

X-AspNet-Version: 4.0.30319

 

X-Powered-By : ASP.NET

 

 

I think this would e much tougher. Thanks in advance.
application delivery
dev
devops
iRules

3 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jul 31, 2012
    HTTP::header remove will remove all of the headers that you specify.

     

     

    If you want to attack it from the other direction you can use HTTP::header sanitize.

     

     

     

    HTTP::header sanitize [header name]+¶

     

    - Removes all headers except the ones you specify and the following: Connection, Content-Encoding, Content-Length, Content-Type, Proxy-Connection, Set-Cookie, Set-Cookie2, and Transfer-Encoding.

     

    - Note that the Host header (required by HTTP/1.1) is removed unless explicitly specified.

     

    - This command can be used in the client-side or server-side context, depending on whether you want to sanitize request and/or response headers.

     

    - If you are using the command in the server-side context, you may want to consider adding Location to the list of retained headers if your application requires they be sent to clients.

     

    - If you are using the command in the client-side context, you may want to consider adding Cookie, Accept, and Accept-Encoding to the list of retained headers.