cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
hooleylist
Cirrostratus
Cirrostratus

Problem this snippet solves:

Remove any X- header from web server HTTP responses

Here is a simple iRule which removes any response header from the pool which starts with X-. The goal is to prevent users of the application from learning details of the application architecture from these user-defined comment headers.

Code :

when HTTP_RESPONSE { 
  
   # Remove all instances of the Server header 
   HTTP::header remove Server 
  
   # Remove all headers starting with x- 
   foreach header_name [HTTP::header names] { 
  
      if {[string match -nocase x-* $header_name]}{ 
  
         HTTP::header remove $header_name 
      }
   }
}
Comments
saidshow_251381
Cirrostratus
Cirrostratus
Thank you hoolio. This is great. I have implemented as is for the purpose of testing and confirm that this worked without any changes. I will modify exactly what headers it targets depending on our needs.
TomBenda_311829
Nimbostratus
Nimbostratus

Be aware, that remove all x-* headers cant be allright with all cases. With this rule is remove header "X-UA-Compatible" header, which can has some render issue for web apps.

 

Version history
Last update:
‎18-Mar-2015 14:43
Updated by:
Contributors