Forum Discussion

MattNears's avatar
MattNears
Icon for Nimbostratus rankNimbostratus
Oct 02, 2019

HTTP Header responce problem

Good Morning,

I have an issue with some of my response headers and an irule for replacing certain responses. The rule I have below is set agains a number of our sites but when running a header response scan some of the comments don't seem to be respected. For example the "Server" and "X-Powered-By" still come back with the actual server and IIS details. Am I missing something or have I go the argument wrong?

BTW I've new with F5's and still learning how to create these syntax so appologese if I ask what seem like dumb questions, thank in advance.

when HTTP_RESPONSE {

 

    foreach mycookie [HTTP::cookie names] {

 

                HTTP::cookie secure $mycookie enable

 

        }

 

  if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }

  if { !([ HTTP::header exists "X-Powered-By" ])} { HTTP::header insert "X-Powered-By" "Server" }

  if { !([ HTTP::header exists "Server" ])} { HTTP::header insert "Server" "A-Server" }

  if { !([ HTTP::header exists "Cache-Control" ])} { HTTP::header insert "Cache-Control" "no-cache" } 

  if { !([ HTTP::header exists "X-XSS-Protection" ])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }

  if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "nosniff" } 

  if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15768000" } 

 

}

  • Hi MattNears,

    If server's response contains "Server" header or "X-Powered-By" header or other headers in the iRule, "Server" and "X-Powered-By" headers will come back with the actual server and IIS details. You should use "else" blocks and HTTP::header replace command.

    if { !([HTTP::header exists "Server"]) } {
    	HTTP::header insert "Server" "A-Server"
    } else {
    	HTTP::header replace "Server" "A-Server"
    }
  • Hi MattNears,

    If server's response contains "Server" header or "X-Powered-By" header or other headers in the iRule, "Server" and "X-Powered-By" headers will come back with the actual server and IIS details. You should use "else" blocks and HTTP::header replace command.

    if { !([HTTP::header exists "Server"]) } {
    	HTTP::header insert "Server" "A-Server"
    } else {
    	HTTP::header replace "Server" "A-Server"
    }
    • MattNears's avatar
      MattNears
      Icon for Nimbostratus rankNimbostratus

      Thanks, that makes sense now, I'd not realised you could combine with else statements.

  • As a side note to the above I do occasionally have issues where the set secure cookie comes back with a "no prefix" and "not a samesite" cookie error,

    Set-CookieASP.NET_SessionId=br3sthsomuihmjyey4xkqmh5; path=/; HttpOnly;Secure

    do I need to adjust the first line so all cookies are set as secure?

  • Just to resurect this thread a little and ask a new question, I managed to resolve me Secure cookie issue, found it in the cookie persistence profice and have that now working nicely.

     

    My new issue seems to be on if { !([ HTTP::header exists "X-AspNet-Version" ])} {HTTP::header remove "X-AspNet-Version" } not working and removing the header as it should. Now I did consider switching it and adding an arguement to insert a ficticious value anf then use else and remove but this hasn't worked either. I'm sure I'm missing something but just struggling to work out what I've missed.

    Any advice will be wlecome here.