Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Add Security Headers

 

Information

 

Summary:
Add Security headers to the LoadMaster (LM) and Virtual Service (VS).
Environment:

Product: LoadMaster

Version:7.2.57

Platform:

Application: SSL accelerated services

Question/Problem Description:
Add security headers to HTTP/HTTPS traffic using content rules
Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

There can sometimes be security requirements to add additional headers to client responses in order to make it more secure. The use of these headers increase the security of the request and help prevent things like:

  • Cross Site scripting
  • Clickjacking
  • Content sniffing
  • Data injection attacks
  • Data leakage.
Resolution:

Here are the Security headers to Add.

 

In order to add the bellow headers to the LoadMaster navigate to:

Rules & Checking --> Content Rules --> Create New

 

Content rules to be created:

 

Rule 1:

Rule Type: Add Header

Header Field to be Added: X-Frame-Options

Value of Header Field to be Added: SAMEORIGIN

Perform If Flag Set: [Unset]

Perform If Flag is NOT Set: [Unset]

 

Rule 2:

Rule Type: Add Header

Header Field to be Added: X-Content-Type-Options

Value of Header Field to be Added: nosniff

Perform If Flag Set: [Unset]

Perform If Flag is NOT Set: [Unset]

 

Rule 3:

Rule Type: Add Header

Header Field to be Added: X-XSS-Protection

Value of Header Field to be Added: 1; mode=block

Perform If Flag Set: [Unset]

Perform If Flag is NOT Set: [Unset]

 

Rule 4:

Rule Type: Add Header

Header Field to be Added: Content-Security-Policy

Value of Header Field to be Added: script-src 'self'; object-src 'self'

Perform If Flag Set: [Unset]

Perform If Flag is NOT Set: [Unset]

 

Rule 5:

Rule Type: Add Header

Header Field to be Added: Referrer-Policy

Value of Header Field to be Added: no-referrer-when-downgrade

Perform If Flag Set: [Unset]

Perform If Flag is NOT Set: [Unset]

 

In rule 5 there are multiple options. please decide which to use prior to creating the rule or create multiple rules with different nicknames

Values are:

  • Referrer-Policy: no-referrer
  • Referrer-Policy: no-referrer-when-downgrade
  • Referrer-Policy: origin
  • Referrer-Policy: origin-when-cross-origin
  • Referrer-Policy: same-origin
  • Referrer-Policy: strict-origin
  • Referrer-Policy: strict-origin-when-cross-origin
  • Referrer-Policy: unsafe-url

 

 

 

Once these rules have been created the rules are available to be apply to any HTTP/HTTPS virtual service that utilizes SSL Acceleration.

 

Navigate to the desired virtual service and Modify it:

Advanced Properties > HTTP Header Modifications > Response Rules > Add Rule > Add the newly created rules.

Workaround:  
Notes:  

Comments