Response Header Security Wizard

Purpose

The Response Header Security Wizard allows you to configure vWAF to improve client side security. The wizard guides you through configuration of the following response header security features:

  • X-Frame-Options (XFO)

    The header determines whether or not a browser is allowed to render a page, protected by vWAF, within a frame on another page (either from the same origin or another location). Configuring the XFO response header helps prevent 'clickjacking', by ensuring that a trusted page is not embedded within in a frame on a potentially malicious page or site.

  • X-XSS-Protection

    Prevents pages from loading if cross site scripting attacks are detected. Configuring the X-XSS-Protection response header instructs the browser to detect and block or hide cross site scripting, to protect against injection of client side scripts.

  • X-Content-Type-Options

    Reduces the risk of attacks based on MIME-type confusion or ambiguity. Configuring the X-Content-Type-Options response header prevents the browser guessing ('MIME sniff') the type of content and potentially loading malicious content. The browser will load and render content based on the content type only. For example, the browser will render content marked as 'text/html' as plain text; the browser will not attempt to load the file as any other content type (such as a script, for example)

  • Content-Security-Policy (CSP)

    Reduces the risk of cross site scripting attacks by controlling the resources the browser can load. CSP security confirms the content (for example, JavaScript, CSS, fonts, images) the browser should or should not load or execute. In this case, the location of content is either inline (in the HTML body) or loaded from another URL (form the same origin or another location). If you enable the Content-Security-Policy response header, you specify the locations (URLs for example) from which the browser can load resources. Note that vWAF sets the CSP directive 'default-src' only and supports the source values 'self', 'unsafe-inline' and 'unsafe-eval'. For further information, see https://content-security-policy.com/

Not all browsers support all these features: X-Frame-Options (XFO), X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy (CSP)) .

You must take care when configuring Content-Security-Policy (CSP)) and X-XSS-Protection as these restrictions may break applications (preventing users from accessing pages).

Ensure you check and test your application to confirm the security response header settings and browser combinations do not break applications.

The security response header settings become active when the application is in protection mode.

Configuring Response Header Security options

  1. To start the Response Header Security Wizard, from the Application Control menu select the relevant application, select the Wizards tab and click Response Header Security Wizard.

    The first page of the Response Header Security Wizard appears.

  2. Follow the wizard to configure the Response Header Security options and attributes, detailed below.
  3. Commit and activate the ruleset (see Committing and Activating Ruleset Changes).

Attributes

Attribute Meaning

HTML Frame Restrictions

Set the X-Frame-Options (XFO) options. This determines whether or not the browser renders content protected by vWAF within a frame:

  • deny: Do not allow the browser to render a page, protected by vWAF, within a frame on another page.
  • sameorigin: Allow the browser to render content in a frame, provided the frame is within the same origin. The browser will not render content within a frame in another location (beyond the scope of the origin).

XXS Protection

Set the XSS (X-XSS) Protection options. This determines how the browser responds if cross-site scripting is detected:

  • enable: Enable XSS protection so that if a cross site scripting attack is detected, the browser removes unsafe content from the page.
  • enable_and_block: Enable XSS protection. If a cross site scripting attack is detected, the browser will not display the page at all (rather than remove unsafe content from the page).
  • disable: Disable XSS filtering. No protection.

Content Type Restrictions

You can enable Content Type Restriction (X-Content-Type-Options: nosniff) to ensure the browser loads and renders content based on the Content-Type Header MIME type only. This prevents the browser 'MIME sniffing' and potentially loading malicious content. For example, if 'X-Content-Type-Options: nosniff' is not enabled, a browser could load a file with misleading attributes, treat the file as HTML and execute a malicious script.

Content Security Policy (CSP)

You can enable Content Security Policy (CSP) response header to reduce the risk of cross site scripting. This determines the location (and CSP directives) from which the browser can load resources.

The first step is to enable the Content Security Policy (CSP) response header. The next step allows you to specify the URLs from which the browser can load resources.

CSP Resources

You can add the required CSP Resources. If CSP is enabled, you can add:

  • vWAF adds the CSP directive 'default-src' and source value self. This ensures the browser loads resources from the same origin only, including protocol (http or https), host and ports.
  • Additional URLs. You can add URLs that are required in addition to 'self'. This allows the browser to load resources from the specified URLs.
  • vWAF also supports the CSP directive source values unsafe-inline and unsafe-eval. You can add these CSP directives, as required.

You add each entry as a separate resource. For example, to include the CSP default-src self, add the CSP directive unsafe-inline, and add the host foo.com:

Handlers configured by the Response Header Security Wizard

The Response Header Security Wizard configures the following handler: