cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Problem this snippet solves:

This iRule illustrates how to "hide" server specifics from snooping clients.

This iRule is used to clean the Web server signatures so that unwanted information is not transmitted to hackers who are attempting to fingerprint the application and servers which run on your Web site. The alternative to cloaking is to attempt to police and clean information being sent out by various applications - creating significant management overhead. This rule removes all of the non-essential headers that are not in the inclusion list.

when HTTP_RESPONSE {
  #
  # Remove all but the given headers.
  #
  HTTP::header sanitize "ETag" "Content-Type" "Connection"
}

Note: The above rule will prevent most session-based applications from working, as the Set-Cookie header will be removed. It will also break caching. It could also break authentication.

Also, as the HTTP::header sanitize function doesn't actually remove all headers, it would be more appropriate to either create a white list or black list of headers and use HTTP::header remove to strip out the headers. Below is an example which removes a black list of headers. You might want to also consider removing only the Server, Date and headers starting with X-.

Code :

# v10.x iRule Source

when RULE_INIT {

   # Create a list of the response headers to preserve.  This needs to be tailored to the application!
   set static::headers_to_preserve [list \
      Accept-Range \
      Cache-Control \
      Content-Encoding \
      Content-Length \
      Content-Type \
      Etag \
      Last-Modified \
      Pragma \
      Set-Cookie \
   ]

   # Log debug messages to /var/log/ltm?  1=yes, 0=no.
   set static::clocking_debug 1
}
when HTTP_RESPONSE {

   # Remove all headers but those in the preserve list
   foreach aHeader [HTTP::header names] {
      if {not ([matchclass $static::headers_to_preserve equals $aHeader])}{
         if {$static::clocking_debug}{log local0. "Removing: $aHeader: [HTTP::header value $aHeader]"}
         HTTP::header remove $aHeader
      }
   }
}

# v9.x iRule Source

when RULE_INIT {

   # Create a list of the response headers to preserve.  This needs to be tailored to the application!
   set ::headers_to_preserve [list \
      Accept-Range \
      Cache-Control \
      Content-Encoding \
      Content-Length \
      Content-Type \
      Etag \
      Last-Modified \
      Pragma \
      Set-Cookie \
   ]

   # Log debug messages to /var/log/ltm?  1=yes, 0=no.
   set ::clocking_debug 1
}
when HTTP_RESPONSE {

   # Remove all headers but those in the preserve list
   foreach aHeader [HTTP::header names] {
      if {not ([matchclass $::headers_to_preserve equals $aHeader])}{
         while {[HTTP::header exists $aHeader]}{
            if {$::clocking_debug}{log local0. "Removing: $aHeader: [HTTP::header value $aHeader]"}
            HTTP::header remove $aHeader
         }
      }
   }
}
Version history
Last update:
‎18-Mar-2015 15:18
Updated by:
Contributors