“Q11827 HTTP Security Header Not Detected” on NetScaler Management IP Using Qualys Scan


1. This is a generic template that is applicable across various NS Versions, some of these may not be needed on later versions, for version specific config, please review fiddler / dev-tool output while accessing NetScaler Management IP and apply the config in part two for the missing headers only.

2. Take System backup before making any changes

3. Check GUI Access, API Based monitoring tools functionality (NMAS, Command Center, any other) with NetScaler thoroughly after making these changes

Part 1: Execute following command on Shell prompt to enable rewrite feature on Management IP, and to make the changes persistent across reboot (On both Primary and Secondary)

nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0

cd /nsconfig

echo nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> rc.netscaler

cat rc.netscaler | grep skip_systemaccess

Part 2: Exit from Shell and execute the following commands on > prompt (On primary only, these commands with sync on secondary)

Enable ns feature rewrite

add policy expression is_management_ip client.ip.dst.eq(SYS.NSIP)

add rewrite action insert_x-xss-protection_act insert_http_header X-XSS-Protection “”1; mode=block””

add rewrite action insert_x-content-type-options_act insert_http_header X-Content-Type-Options “”nosniff””

add rewrite action insert_x-frame-options_act insert_http_header X-Frame-Options “”SAMEORIGIN””

add rewrite action insert_x-hsts-header_act insert_http_header Strict-Transport-Security “”max-age=157680000; includeSubDomains””

add rewrite action insert_CSP_act insert_http_header Content-Security-Policy “”frame-ancestors ‘self'””

add rewrite policy insert_x-xss-protection_pol “is_management_ip && http.RES.HEADER(“X-XSS-Protection”).EXISTS.NOT” insert_x-xss-protection_act

add rewrite policy insert_x-content-type-options_pol “is_management_ip && http.RES.HEADER(“X-Content-Type-Options”).EXISTS.NOT” insert_x-content-type-options_act

add rewrite policy insert_x-frame-options_pol “is_management_ip && http.RES.HEADER(“X-Frame-Options”).EXISTS.NOT” insert_x-frame-options_act

add rewrite policy insert_x-hsts-header_pol “is_management_ip && http.RES.HEADER(“Strict-Transport-Security”).EXISTS.NOT” insert_x-hsts-header_act

add rewrite policy insert_CSP_pol “is_management_ip && http.RES.HEADER(“Content-Security-Policy”).EXISTS.NOT” insert_CSP_act

#Note: The priority Nos below may have to be edited to not conflict with existing globally bound policies

bind rewrite global insert_x-xss-protection_pol 2 next -type RES_DEFAULT

bind rewrite global insert_x-content-type-options_pol 3 next -type RES_DEFAULT

bind rewrite global insert_x-frame-options_pol 4 next -type RES_DEFAULT

bind rewrite global insert_CSP_pol 5 next -type RES_DEFAULT

bind rewrite global insert_x-hsts-header_pol 6 next -type RES_DEFAULT


  • No Related Posts

How to Force Secure and HttpOnly Cookie Options for Websites Using NetScaler Appliance

Important! You cannot use the HttpOnly option when a web application requires access to Cookie contents by using a client side script such as JavaScript or a client-side Java Applet. From the method mentioned in this article only server generated cookies can be rewritten, not the cookies generated by NetScaler Appliance (for ex: AppFirewall, persistence, VPN session cookies and so on)

Also note that this procedure is not applicable to VPN Vservers.

To configure the NetScaler appliance to force the Secure and HttpOnly flags for an existing HTTP virtual server, complete the following steps:

Using NetScaler GUI

  1. Go to Rewrite > Actions, and then click add to add a new rewrite action.

    User-added image

  2. Go to Rewrite > Policies and then click add to adda new Rewrite policy.

    User-added image

  3. Go to Load Balancing > Virtual Servers and then bind the Rewrite (Response) policy to the corresponding SSL VServer.

    User-added image

Using NetScaler CLI

  1. Create a rewrite action (this example is configured to set both Secure and HttpOnly flags. If either one is missing, modify it as necessary for other combinations).

    add rewrite action act_cookie_Secure replace_all http.RES.full_Header “”path=/; Secure; HttpOnly”” -search “regex(re!(path=/\; Secure; HttpOnly)|(path=/\; Secure)|(path=/\; HttpOnly)|(path=/)!)” -bypassSafetyCheck YES

  2. Create a rewrite policy to trigger the action.

    add rewrite policy rw_force_secure_cookie “http.RES.HEADER(“Set-Cookie”).EXISTS” act_cookie_Secure

  3. Bind the rewrite policy to the VServer to be secured (if Secure option is used, an SSL VServer should be used).

    bind lb vserver mySSLVServer -policyName rw_force_secure_cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE


  • No Related Posts

How to have a random Background Image on NetScaler Gateway Page

1) Create a folder at and deposit your contents – label them desktop_0x.jpg:

2) Create a portal theme based on X1 and edit the background image to desktop_01.jpg (select image, upload it):

User-added image

3) Bind the portal theme to NSG.

4) Then create the following policies (note this commands are for the CLI as they escape special chars):

>add rewrite action rewrite_image_background replace HTTP.REQ.URL.PATH_AND_QUERY “”/logon/themes/custom_media_test/desktop_0″+ sys.RANDOM.MUL(7).ADD(1).TYPECAST_NUM_AT+”.jpg””

>add rewrite policy rewrite_background_request “http.REQ.URL.CONTAINS(“desktop_01.jpg”) ” rewrite_image_background


User-added image


User-added image

5) Bind the rewrite policy to the NetScaler Gateway.

User-added image

6) Go to the NetScaler Gateway URL and refresh the page. You should be getting a random image every time you refresh.


  • No Related Posts

How URL rewriting works in DataPower to be specific what is the effect of “URL Rewrite Direction”

What is the effect of assigning “Response” to “URL Rewrite Direction” to a URL rewrite policy?

Can we use URL rewrite policy to rewrite Backend URL?

Does it only rewrite statically defined “Default Backend URL” or has capability to dynamically defined “Backend URL”?

According to the documentation https://www.ibm.com/support/knowledgecenter/en/SS9H2Y_7.5.0/com.ibm.dp.doc/urlrewritepolicy.html, URL rewriting policy is invoked before processing which implies we will not be able to rewrite dynamically defined “Backend URL”. Is this true?

If we can’t use URL Rewrite policy to rewrite the backend URL what is the purpose of having “Response” value as an option for “URL Rewrite Direction”? If you could share use cases it will be helpful.


  • No Related Posts

Re-evaluate after rewrite

I need a solution

I have an action to rewrite a URL, removing the path portion of the request:

<Proxy "fc rewrites"> client.address=fcServer

client.protocol=https action.fcRewrite(yes)

define action fcRewrite
rewrite (url, "^https://(.+?)/.+$", "https://$(1)")
end action fcRewrite

On policy trace, it appears the original URL is evaluated by policy and appropriate action taken – only the rewritten URL is sent to the OCS. I need the re-written URL to be re-evaluated by policy, is this even possible?

Thanks all!



DM013 Alert in system healthcheck report. What does it mean and how to solve it?

Rule : DM013
Issue Detected : SCSI rewrite-in-place errors
Severity : Low
Components : disk17[spa1.encl9](HWID: 1448) (from catalog) –
suspected disk

Expert’s Advice :

No action is required to be performed.
This information is valuable only when there is a noticeable
performance degradation on the system. This issue may be a hint
to investigate performance of the disks reporting
these errors.