Using CF rule to remove header tagged by pen test team
Hey all, So a client of mine had a pen test early this year and the test team flagged a Via header that details what proxy (and its version) the request originated from, a well known hosting provider I might add, but said client cut an issue hoping for a solution i.e. "can you delete or modify this header in-flight?". Well I tried a "Modify Response Header" Transform Rule to no avail and it occurred to me I might be barking up the wrong header tree as said header might be exposed via the Request header as well given CF is in-between the Request / Response stream. I'm half-inclined to tell client "Don't be concerned about this." but thought I'd ask here for some feedback and or a recommendation and or a best practice if any of those options are valid or exist. Gut instinct is telling me, "It can be done you silly human" but figured it couldn't hurt asking for opnions as opposed to getting in a spin loop over a non-worky solution. Cheers and hope everyone is having a good day!
6 Replies
You can use Modify Response Headers to remove headers sent from your origin, yea. What's the exact rule you tried? The trace tool under account level can be helpful to see if it's actually matching or not
I did use a Modify Response header to no avail. It is a Custom Filter Expression. Here is the expression detail from the dialog:
URI equals "/Via: 1.1 vegur" And Hostname equals "my.target.host.com" then Remove Header name Via.
And the expression:
(http.request.uri eq "/Via: 1.1 vegur" and http.host eq "my.target.host.com")
Used FF DevTools to check if the header was removed or not in my case 🙂 I haven't had to revisit this yet today but will make time later
why would the URI ever equal that?
URI is the path with query string, ex:
/articles/index?section=539061&expand=comments
You just need the hostname equals there reallyNot sure I understand your question. I do understand what a URI is and Via: 1.1 veger is an upstream proxy (at Heroku) that the pen test teamed tagged as exposing the proxy version, but i'm starting to wonder if it's really necessary to try to mask or alter that via header
For this rule to match, your url would have to be
https://my.target.host/Via: 1.1 vegur exactly
(you most likely just want the http.host eq selector part of it, not the uri.eq)@Chaika @Leo roger that. will look into it mañana. cheers !
@Chaika Just an FYI: Today it dawned on me that that 1.1 is not the version of the proxy, it's the HTTP protocol version. Apparently the pen tester(s) misinterpreted it to be proxy version. In the end no action required on my part. Thanks for your help nonetheless !