Preventing Data Leakage
Simple steps to prevent data leakage
How to prevent the leaking of server system information when routing the response through the LoadMaster.
|Steps to Reproduce:|
Some headers (such as the "server" header) can sometimes inadvertently disclose information about the systems in a network environment.
The port 80 Redirect can sometimes leak IP information about the real server.
The "Server" header can contain information about the current version of the web server. This can be important information for bad actors and pen testers alike. By removing the header when it passes back through the LoadMaster (LM) this information is harder to attain.
To remove the server header create a rule as follows:
Rule Type: Delete header
Rule name : remove_server_header
Match String : server
Perform If Flag Set: [Unset]
Perform If Flag is NOT Set: [Unset]
Add to "Response Rules" on the virtual service under "Advanced Properties -> Show Header Rules"
Select the rule based on name and click the Add button.
The rule should now be added as shown in the below screenshot.
Locking Down the port 80 Redirect:
When using a port 80 redirect by default the LM will create a 302 redirect using the following "https://%h%s" where %h is the same host and %s is the same path.
With a specially crafted query this can disclose the internal IP structure of the virtual service.
To prevent this a better redirect would instead be set to the domain such as "https://www.domain.com%s". This would then have the FQDN of the site and not an IP of the real server.