Jump to content
Welcome to our new Citrix community!
  • NetScaler TIPs: Scoring an A+ with HTTP headers and Gateway


    Subhojit Goswami
    • Validation Status: Validated
      Has Video?: No

    NetScaler TIPs: Scoring an A+ with HTTP headers and Gateway

    Submitted August 31, 2021

    Author: Michael McAlpine

     

    HTTP security headers are a fundamental part of securing a website. They help to enhance the overall security of a web application by preventing the exploitation of potential vulnerabilities. The goal of improving HTTP headers is to prevent an externally accessible resource from providing confidential information.

    In this blog post, I’ll show you how to enhance the security posture of your Gateway to allow you to score an A+ with scanning sites like securityheaders.com. Scoring an A+ lets you know that you are helping to mitigate against cross-site scripting attacks (XSS), code injection, clickjacking, and attacks that target specific product or feature information.

    Prerequisites

    Make sure you are running supported and up to date NetScaler ADC firmware. (This blog post was written and testing using NetScaler ADC firmware 13.0.67 and multiple 12.1.x versions. Testing was performed against securityheaders.com on June 9, 2021.)

    Ensure that your Gateway has been created, configured, and is externally accessible. External accessibility is required for testing.

    Validate that the Gateway scores an A+ with SSL Labs. If not, follow the guidance in this blog post.

    Please note, some of the previously recommended cipher suites are now considered insecure. The following ciphers are recommended but older cipher suites may be required for legacy compatibility:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    The HSTS Max Age must be set to 31536000 or less in the SSL Parameters or in the SSL Profile applied to the Gateway. If it is not set, the Strict-Transport-Security test will fail, causing an A score.

    image.jpg.fb0eb0495c1df953c51fb31110a165bd.jpg

    How to Score an A+

    We will use both the CLI and GUI to enhance our HTTP headers. The CLI is more efficient and reliable for creating and binding our rewrite policies.

    By default, NetScaler ADC firmware 12.x scores a D grade and ADC Firmware 13.x scores a C grade from securityheaders.com without security enhancements. The built-in optimizations are tailored for connections within your intranet, not external connections. For external connections, we want to apply the best security possible while maintaining usability. Here is an example of a default Gateway on NetScaler ADC 13.0.67.

    image.jpg.9b218346be37d6915d194614e792f7e8.jpg

    image.jpg.193c3b1b4ac27ef4bbc9e23c03facb2b.jpg

    image.jpg.397bf9bde1634db9d54fc5d7a86ed850.jpg

    image.jpg.c352951b1fbb6f7c0350264991f8a1f8.jpg

    First, open Putty and log into your NetScaler ADC as a full administrator. I will be using the nsroot account for this example.

    image.jpg.bcef75f0b40ba98b358fcb33e64b4a62.jpg

    Here are examples of commands that create rewrite actions and policies. These CLI commands are similar to executing PowerShell commands but for a NetScaler ADC. It is important to understand exactly what each command is doing and how to troubleshoot each one if it needs to be updated. In the example below, we are creating rewrite actions and corresponding rewrite policies.

    Please note that some of the sections require adding your own information where you see Fake Name or Fake URL. Make sure to replace these strings with the information specified by your security team. The idea is to obfuscate company and server information.

    The http header Referrer-Policy: Strict-Origin will not allow an HTTP referrer header to be sent to an HTTP request, only HTTPS.

    add rewrite action REW_ACT-REFERRER_POLICY insert_http_header Referrer-Policy "\"STRICT-ORIGIN\""add rewrite policy REW_POL-REFERRER_POLICY TRUE REW_ACT-REFERRER_POLICY
     

    Expect-CT enforces a max age of 30 seconds for Certificate Transparency information. This relates to Google Chrome and has been a standard since October 2017.

    add rewrite action REW_ACT-EXPECT_CT insert_http_header Expect-CT q/"\"enforce,max-age=30\""/add rewrite policy REW_POL-EXPECT_CT TRUE REW_ACT-EXPECT_CT
     

    Modifying the frame hardens the http header to help mitigate XSS attacks by controlling what types of content is allowed to be loaded on the site. Frame-Ancestors is the predecessor to X-Frame-Options and is not accepted or utilized by some newer browsers.

    add rewrite action REW_ACT-CONTENT_SECURITY_POLICY insert_http_header Content-Security-Policy "\"frame-ancestors \'self\'\""add rewrite policy REW_POL-CONTENT_SECURITY_POLICY TRUE REW_ACT-CONTENT_SECURITY_POLICY
     

    Setting the http header to nosniff prevents the browser from doing content and/or MIME-type sniffing. This helps mitigate MIME confusion attacks and unauthorized hotlinking.

    add rewrite action REW_ACT-X_CONTENT_TYPE_OPTIONS insert_http_header X-Content-Type-Options "\"nosniff\""add rewrite policy REW_POL-X_CONTENT_TYPE_OPTIONS TRUE REW_ACT-X_CONTENT_TYPE_OPTIONS
     

    Setting X-XSS-Protection to 1 will enable a filter and instruct the browser to sanitize the page if an XSS attack is detected. Mode=Block causes the browser to prevent the rendering of the page entirely rather than simply sanitizing the page.

    add rewrite action REW_ACT-X_XSS_PROTECTION insert_http_header X-Xss-Protection "\"1; mode=block\""add rewrite policy REW_POL-X_XSS_PROTECTION TRUE REW_ACT-X_XSS_PROTECTION
     

    The following section deletes the X-Powered-By header details. This makes targeted attacks more challenging because the attacker will not be provided with valid header information from and about the queried website.

    add rewrite action REW_ACT-DELETE_X-POWERED-BY delete_http_header X-Powered-Byadd rewrite policy REW_POL-DELETE_X-POWERED-BY TRUE REW_ACT-DELETE_X-POWERED-BY
     

    The following section removed the server http header details. This makes targeted attacks more challenging because the attacker will not be provided with valid information from the quarried website.

    add rewrite action REW_ACT-DELETE_SERVER delete_http_header Serveradd rewrite policy REW_POL-DELETE_SERVER TRUE REW_ACT-DELETE_SERVER
     

    A Permissions-Policy was a recent addition to web security and is now a standard on new website deployments. We will also replace FAKE URL with whatever your security team wishes to specify for a URL. The URL information is not important and can be blank.

    add rewrite action REW_ACT-PERMISSIONS_POLICY insert_http_header Permissions-Policy q{"geolocation=(self \"https://FAKE URL.com\")"}add rewrite policy REW_POL-PERMISSIONS_POLICY TRUE REW_ACT-PERMISSIONS_POLICY
     

    This section modifies the http header to update the default x-powered-by section to add fake information. Leaving the default allows a potential attacker to target attacks based on this information. (Please note, you should replace Fake Name with whatever you want. In this case, Fake Name is not important and can be left blank.)

    add rewrite action REW_ACT-X-POWERED-BY insert_http_header X-Powered-By "\"Fake Name\""add rewrite policy REW_POL-X-POWERED-BY TRUE REW_ACT-X-POWERED-BY
     

    This modifies the server section of the HTTP header to add a fake name. (Please note, you should replace Fake Name with whatever you want. In this case, Fake Name is not important and can be left blank.)

    add rewrite action REW_ACT-SERVER insert_http_header Server "\"Fake Name\""add rewrite policy REW_POL-SERVER TRUE REW_ACT-SERVER
     

    You should run each command individually for easier troubleshooting. Look for Done after each line. If there is a failure creating the rewrite action or the corresponding rewrite policy, remove that item and try again after determining what went wrong.

    image.jpg.fbe3a0901351402e52190251b9c1d8c1.jpg

    Check in the ADC UI. Navigate to AppExpertRewritePolicies and Actions. There should be 10 new Rewrite Policies and 10 new Rewrite Actions in each section.

    image.jpg.a7bd89ff09d14e8cc53b07e8c890078a.jpg

    image.jpg.71545c3207da7afff21168a2bb936389.jpg

    Navigate to AppExpert → RewriteRewrite Policies and select Policy Manager. Change the Bind Point to VPN Virtual Server, change the Connection Type to Response, and change the Virtual Server to your Gateway (GW-17 in my case).

    image.jpg.6015cf0219b7c3be22b853c07373b18c.jpg

    Bind all your newly created Rewrite Policies to your Citrix Gateway. Make sure all the GOTOEXPRESSIONS have NEXT. The final GOTOEXPRESSION should have END. An earlier END causes the Gateway to ignore any further expressions.

    image.jpg.cb15315fb0574a131a5de7dd02f8b1ca.jpg

    Clear the ADC cache by running the following command in the CLI: flush cache contentgroup loginstaticobjects.

    image.jpg.6ea509b04763acb2d2802d0496117929.jpg

    Wait a few minutes and test again. You should get the following report summary.

    image.jpg.96e844c60feadcafb316a3307bdb31e9.jpg

    Your Rewrite Policies will be bound to the Gateway and are accessible in Citrix GatewayVirtual ServersServer NamePoliciesResponse PoliciesRewrite Policies.

    image.jpg.3e6f5cb6acd211023bd0b1ab1068e2e8.jpg

    Congratulations, you now score an A+ at securityheaders.com! You have done your part to mitigate against XSS attacks, clickjacking, code injection, and targeted attacks in a way that is transparent to your user base.

    Troubleshooting (Or Why Didn’t I Score an A+?)

    Securityheaders.com may have added or changed scan criteria. Review the scan results and messages indicating why your score was not an A+ for further troubleshooting.

    If your score did not change after applying your Rewrite Policies, make sure to check that they are applied as Response policies on the Gateway and verify that the GOTOEXPRESSION is NEXT for all but the last policy, which should have END.

    The topics I covered in this blog post will help you to enhance the security posture of your NetScaler ADC and Gateway. Learn more in our Configure Cookies, Headers, and Polling documentation.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...