How to create rewrite policy for content security headers , XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy.

1. Create rewrite actions for each one of the headers. Go to AppExpert > Rewrite > Actions and click Add:

User-added image

User-added image
User-added image
User-added image

Rewrite Actions :

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security “”max-age=157680000″”

add rewrite action rw_act_insert_XSS_header insert_http_header X-Xss-Protection “”1; mode=block””

add rewrite action rw_act_insert_Xcontent_header insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action rw_act_insert_Content_security_policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:””

2. Create rewrite policies and link them to the actions. Go to AppExpert > Rewrite > Policies and click Add to create policy :

User-added image
User-added image
User-added image
User-added image
Rewrite Policy’s:

add rewrite policy enforce_STS true insert_STS_header

add rewrite policy rw_pol_insert_XSS_header “HTTP.RES.HEADER(“X-Xss-Protection”).EXISTS.NOT” rw_act_insert_XSS_header

add rewrite policy rw_pol_insert_XContent TRUE rw_act_insert_Xcontent_header

add rewrite policy rw_pol_insert_Content_security_policy TRUE rw_act_insert_Content_security_policy

3. Bind policies to vserver on Response using Goto Expression NEXT:

User-added image
User-added image
vserver binding commands:

bind vpn vserver access -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver “VSERVERNAME” -policy rw_pol_insert_XSS_header -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_XContent -priority 120 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_Content_security_policy -priority 130 -gotoPriorityExpression NEXT -type RESPONSE

NOTE :In case of SSLVPN, we need to use the below Content-Security Action :

add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ http://localhost:* data:;” “

The localhost exception is required because the browser passes the cookie/GW information to the plugin using localhost http call. Since the CSP had only “self”, only calls to the vserver would be allowed.

Since we pass the AAAC cookie, GW address etc using this : image.src = “http://localhost:“+agentPort+”/svc?NSC_AAAC=”+ns_aaac+”&nsloc=”+nsloc+”&nsversion=1,1,1,1&nstrace=DEBUG&nsvip=255.255.255.255”;,

we need to make the changes only for img-src. This is enough for the communications with the browser and the plugin.

If localhost exception is not mentioned, we may face issues with browser stuck on the plugin download page.

Related:

  • No Related Posts

How to create rewrite policy for content security headers , XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy.

1. Create rewrite actions for each one of the headers. Go to AppExpert > Rewrite > Actions and click Add:

User-added image

User-added image
User-added image
User-added image

Rewrite Actions :

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security “”max-age=157680000″”

add rewrite action rw_act_insert_XSS_header insert_http_header X-Xss-Protection “”1; mode=block””

add rewrite action rw_act_insert_Xcontent_header insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action rw_act_insert_Content_security_policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:””

2. Create rewrite policies and link them to the actions. Go to AppExpert > Rewrite > Policies and click Add to create policy :

User-added image
User-added image
User-added image
User-added image
Rewrite Policy’s:

add rewrite policy enforce_STS true insert_STS_header

add rewrite policy rw_pol_insert_XSS_header “HTTP.RES.HEADER(“X-Xss-Protection”).EXISTS.NOT” rw_act_insert_XSS_header

add rewrite policy rw_pol_insert_XContent TRUE rw_act_insert_Xcontent_header

add rewrite policy rw_pol_insert_Content_security_policy TRUE rw_act_insert_Content_security_policy

3. Bind policies to vserver on Response using Goto Expression NEXT:

User-added image
User-added image
vserver binding commands:

bind vpn vserver access -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver “VSERVERNAME” -policy rw_pol_insert_XSS_header -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_XContent -priority 120 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_Content_security_policy -priority 130 -gotoPriorityExpression NEXT -type RESPONSE

NOTE :In case of SSLVPN, we need to use the below Content-Security Action :

add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ http://localhost:* data:;” “

The localhost exception is required because the browser passes the cookie/GW information to the plugin using localhost http call. Since the CSP had only “self”, only calls to the vserver would be allowed.

Since we pass the AAAC cookie, GW address etc using this : image.src = “http://localhost:“+agentPort+”/svc?NSC_AAAC=”+ns_aaac+”&nsloc=”+nsloc+”&nsversion=1,1,1,1&nstrace=DEBUG&nsvip=255.255.255.255”;,

we need to make the changes only for img-src. This is enough for the communications with the browser and the plugin.

If localhost exception is not mentioned, we may face issues with browser stuck on the plugin download page.

Related:

  • No Related Posts

How to create rewrite policy for content security headers , XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy.

1. Create rewrite actions for each one of the headers. Go to AppExpert > Rewrite > Actions and click Add:

User-added image

User-added image
User-added image
User-added image

Rewrite Actions :

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security “”max-age=157680000″”

add rewrite action rw_act_insert_XSS_header insert_http_header X-Xss-Protection “”1; mode=block””

add rewrite action rw_act_insert_Xcontent_header insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action rw_act_insert_Content_security_policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:””

2. Create rewrite policies and link them to the actions. Go to AppExpert > Rewrite > Policies and click Add to create policy :

User-added image
User-added image
User-added image
User-added image
Rewrite Policy’s:

add rewrite policy enforce_STS true insert_STS_header

add rewrite policy rw_pol_insert_XSS_header “HTTP.RES.HEADER(“X-Xss-Protection”).EXISTS.NOT” rw_act_insert_XSS_header

add rewrite policy rw_pol_insert_XContent TRUE rw_act_insert_Xcontent_header

add rewrite policy rw_pol_insert_Content_security_policy TRUE rw_act_insert_Content_security_policy

3. Bind policies to vserver on Response using Goto Expression NEXT:

User-added image
User-added image
vserver binding commands:

bind vpn vserver access -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver “VSERVERNAME” -policy rw_pol_insert_XSS_header -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_XContent -priority 120 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_Content_security_policy -priority 130 -gotoPriorityExpression NEXT -type RESPONSE

NOTE :In case of SSLVPN, we need to use the below Content-Security Action :

add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ http://localhost:* data:;” “

The localhost exception is required because the browser passes the cookie/GW information to the plugin using localhost http call. Since the CSP had only “self”, only calls to the vserver would be allowed.

Since we pass the AAAC cookie, GW address etc using this : image.src = “http://localhost:“+agentPort+”/svc?NSC_AAAC=”+ns_aaac+”&nsloc=”+nsloc+”&nsversion=1,1,1,1&nstrace=DEBUG&nsvip=255.255.255.255”;,

we need to make the changes only for img-src. This is enough for the communications with the browser and the plugin.

If localhost exception is not mentioned, we may face issues with browser stuck on the plugin download page.

Related:

  • No Related Posts

How to create rewrite policy for content security headers , XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy.

1. Create rewrite actions for each one of the headers. Go to AppExpert > Rewrite > Actions and click Add:

User-added image

User-added image
User-added image
User-added image

Rewrite Actions :

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security “”max-age=157680000″”

add rewrite action rw_act_insert_XSS_header insert_http_header X-Xss-Protection “”1; mode=block””

add rewrite action rw_act_insert_Xcontent_header insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action rw_act_insert_Content_security_policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:””

2. Create rewrite policies and link them to the actions. Go to AppExpert > Rewrite > Policies and click Add to create policy :

User-added image
User-added image
User-added image
User-added image
Rewrite Policy’s:

add rewrite policy enforce_STS true insert_STS_header

add rewrite policy rw_pol_insert_XSS_header “HTTP.RES.HEADER(“X-Xss-Protection”).EXISTS.NOT” rw_act_insert_XSS_header

add rewrite policy rw_pol_insert_XContent TRUE rw_act_insert_Xcontent_header

add rewrite policy rw_pol_insert_Content_security_policy TRUE rw_act_insert_Content_security_policy

3. Bind policies to vserver on Response using Goto Expression NEXT:

User-added image
User-added image
vserver binding commands:

bind vpn vserver access -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver “VSERVERNAME” -policy rw_pol_insert_XSS_header -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_XContent -priority 120 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_Content_security_policy -priority 130 -gotoPriorityExpression NEXT -type RESPONSE

NOTE :In case of SSLVPN, we need to use the below Content-Security Action :

add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ http://localhost:* data:;” “

The localhost exception is required because the browser passes the cookie/GW information to the plugin using localhost http call. Since the CSP had only “self”, only calls to the vserver would be allowed.

Since we pass the AAAC cookie, GW address etc using this : image.src = “http://localhost:“+agentPort+”/svc?NSC_AAAC=”+ns_aaac+”&nsloc=”+nsloc+”&nsversion=1,1,1,1&nstrace=DEBUG&nsvip=255.255.255.255”;,

we need to make the changes only for img-src. This is enough for the communications with the browser and the plugin.

If localhost exception is not mentioned, we may face issues with browser stuck on the plugin download page.

Related:

  • No Related Posts

How to create rewrite policy for content security headers , XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy.

1. Create rewrite actions for each one of the headers. Go to AppExpert > Rewrite > Actions and click Add:

User-added image

User-added image
User-added image
User-added image

Rewrite Actions :

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security “”max-age=157680000″”

add rewrite action rw_act_insert_XSS_header insert_http_header X-Xss-Protection “”1; mode=block””

add rewrite action rw_act_insert_Xcontent_header insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action rw_act_insert_Content_security_policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:””

2. Create rewrite policies and link them to the actions. Go to AppExpert > Rewrite > Policies and click Add to create policy :

User-added image
User-added image
User-added image
User-added image
Rewrite Policy’s:

add rewrite policy enforce_STS true insert_STS_header

add rewrite policy rw_pol_insert_XSS_header “HTTP.RES.HEADER(“X-Xss-Protection”).EXISTS.NOT” rw_act_insert_XSS_header

add rewrite policy rw_pol_insert_XContent TRUE rw_act_insert_Xcontent_header

add rewrite policy rw_pol_insert_Content_security_policy TRUE rw_act_insert_Content_security_policy

3. Bind policies to vserver on Response using Goto Expression NEXT:

User-added image
User-added image
vserver binding commands:

bind vpn vserver access -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver “VSERVERNAME” -policy rw_pol_insert_XSS_header -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_XContent -priority 120 -gotoPriorityExpression NEXT -type RESPONSE

bind vpn vserver access -policy rw_pol_insert_Content_security_policy -priority 130 -gotoPriorityExpression NEXT -type RESPONSE

NOTE :In case of SSLVPN, we need to use the below Content-Security Action :

add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy “”default-src ‘self’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ http://localhost:* data:;” “

The localhost exception is required because the browser passes the cookie/GW information to the plugin using localhost http call. Since the CSP had only “self”, only calls to the vserver would be allowed.

Since we pass the AAAC cookie, GW address etc using this : image.src = “http://localhost:“+agentPort+”/svc?NSC_AAAC=”+ns_aaac+”&nsloc=”+nsloc+”&nsversion=1,1,1,1&nstrace=DEBUG&nsvip=255.255.255.255”;,

we need to make the changes only for img-src. This is enough for the communications with the browser and the plugin.

If localhost exception is not mentioned, we may face issues with browser stuck on the plugin download page.

Related:

  • No Related Posts