For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 25, 2015

You can certainly rewrite an HTTP response header, but I'm curious how this would work if you changed the header value to Xbasic. When a server sends a 401 WWW-Authenticate response, it can send a value of Basic, Negotiate, NTLM, or Digest. These are generally the only "integrated" authentication methods that a browser will understand. In other words, upon receiving an "xbasic" authentication response, a browser is very likely going to simply fail. If, however, you're using the BIG-IP to authenticate to the server in another way, or the BIG-IP is sending the credentials on the user's behalf and you don't want the client to see the 401 response, you could simply drop these responses.