Server Resource Cloaking

Problem this snippet solves:

This iRule illustrates how to "hide" server specifics from snooping clients.

This iRule is used to clean the Web server signatures so that unwanted information is not transmitted to hackers who are attempting to fingerprint the application and servers which run on your Web site. The alternative to cloaking is to attempt to police and clean information being sent out by various applications - creating significant management overhead. This rule removes all of the non-essential headers that are not in the inclusion list.

when HTTP_RESPONSE {
  #
  # Remove all but the given headers.
  #
  HTTP::header sanitize "ETag" "Content-Type" "Connection"
}

Note: The above rule will prevent most session-based applications from working, as the Set-Cookie header will be removed. It will also break caching. It could also break authentication.

Also, as the HTTP::header sanitize function doesn't actually remove all headers, it would be more appropriate to either create a white list or black list of headers and use HTTP::header remove to strip out the headers. Below is an example which removes a black list of headers. You might want to also consider removing only the Server, Date and headers starting with X-.

Code :

# v10.x iRule Source

when RULE_INIT {

   # Create a list of the response headers to preserve.  This needs to be tailored to the application!
   set static::headers_to_preserve [list \
      Accept-Range \
      Cache-Control \
      Content-Encoding \
      Content-Length \
      Content-Type \
      Etag \
      Last-Modified \
      Pragma \
      Set-Cookie \
   ]

   # Log debug messages to /var/log/ltm?  1=yes, 0=no.
   set static::clocking_debug 1
}
when HTTP_RESPONSE {

   # Remove all headers but those in the preserve list
   foreach aHeader [HTTP::header names] {
      if {not ([matchclass $static::headers_to_preserve equals $aHeader])}{
         if {$static::clocking_debug}{log local0. "Removing: $aHeader: [HTTP::header value $aHeader]"}
         HTTP::header remove $aHeader
      }
   }
}

# v9.x iRule Source

when RULE_INIT {

   # Create a list of the response headers to preserve.  This needs to be tailored to the application!
   set ::headers_to_preserve [list \
      Accept-Range \
      Cache-Control \
      Content-Encoding \
      Content-Length \
      Content-Type \
      Etag \
      Last-Modified \
      Pragma \
      Set-Cookie \
   ]

   # Log debug messages to /var/log/ltm?  1=yes, 0=no.
   set ::clocking_debug 1
}
when HTTP_RESPONSE {

   # Remove all headers but those in the preserve list
   foreach aHeader [HTTP::header names] {
      if {not ([matchclass $::headers_to_preserve equals $aHeader])}{
         while {[HTTP::header exists $aHeader]}{
            if {$::clocking_debug}{log local0. "Removing: $aHeader: [HTTP::header value $aHeader]"}
            HTTP::header remove $aHeader
         }
      }
   }
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
security

Was this article helpful?

No CommentsBe the first to comment