Adding security headers to ESP form based login page

I'm running a webpage that is protected with KEMP ESP FBA login page. When scanning the site with securityheaders.com it obviously scans the ESP FBA login page, as securityheaders.com is unable to authenticate. I'm now being flagged with D rating because the FBA page is missing security headers and unfortunately I'm unable to find any option in KEMP LoadMaster to apply them :(

I tried adding header rules to the VS, but these kick in after you successfully login, so don't help with the rating.

The only header that can be added in the interface is Strict-Transport-Security, but even that one is flagged by securityheaders.com as not having the proper max-age value :(

Isn't there really any option to add these headers to the ESP FBA page?

 

Cheers, Marcin

0

2 comments

Avatar

Andrew Spagnuolo

Hi Marcin,

Could you tell me where exactly you are attempting to add these security rules?

Have you followed our article on the topic? https://support.kemptechnologies.com/hc/en-us/articles/9328173537805-Add-Security-Headers

You would want to make sure you are adding these as "Response Rules"

Best Regards,

0

Avatar

Marcin Dobija

Hi Andrew,

Yes, I have followed the article, however headers added this way only apply to the traffic coming from the real server and I'm looking to add security headers to the initial response that comes from ESP, before the redirect to logon pad or redirect to SAML site.

The headers added the way article mentioned will be applied post-login, which in case of security ranking sites like "securityheaders.com" or bitsight.com will never be reached, as these sites do not follow redirects when checking sites and will never be able to login.

Thanks,

0

Please to leave a comment.

Didn't find what you were looking for?