HTTP security headers are a fundamental part of securing a website. They help to enhance the overall security of a web application by preventing the exploitation of potential vulnerabilities. The goal of improving HTTP headers is to prevent an externally accessible resource from providing confidential information.

In this blog post, I’ll show you how to enhance the security posture of your Gateway to allow you to score an A+ with scanning sites like securityheaders.com. Scoring an A+ lets you know that you are helping to mitigate against cross-site scripting attacks (XSS), code injection, clickjacking, and attacks that target specific product or feature information.

Prerequisites

Make sure you are running supported and up to date NetScaler ADC firmware. (This blog post was written and testing using NetScaler ADC firmware 13.0.67 and multiple 12.1.x versions. Testing was performed against securityheaders.com on June 9, 2021.)

Ensure that your Gateway has been created, configured, and is externally accessible. External accessibility is required for testing.

Validate that the Gateway scores an A+ with SSL Labs. If not, follow the guidance in this blog post.

Please note, some of the previously recommended cipher suites are now considered insecure. The following ciphers are recommended but older cipher suites may be required for legacy compatibility:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

The HSTS Max Age must be set to 31536000 or less in the SSL Parameters or in the SSL Profile applied to the Gateway. If it is not set, the Strict-Transport-Security test will fail, causing an A score.

How to Score an A+

We will use both the CLI and GUI to enhance our HTTP headers. The CLI is more efficient and reliable for creating and binding our rewrite policies.

By default, NetScaler ADC firmware 12.x scores a D grade and ADC Firmware 13.x scores a C grade from securityheaders.com without security enhancements. The built-in optimizations are tailored for connections within your intranet, not external connections. For external connections, we want to apply the best security possible while maintaining usability. Here is an example of a default Gateway on NetScaler ADC 13.0.67.

First, open Putty and log into your NetScaler ADC as a full administrator. I will be using the nsroot account for this example.

Here are examples of commands that create rewrite actions and policies. These CLI commands are similar to executing PowerShell commands but for a NetScaler ADC. It is important to understand exactly what each command is doing and how to troubleshoot each one if it needs to be updated. In the example below, we are creating rewrite actions and corresponding rewrite policies.

Please note that some of the sections require adding your own information where you see Fake Name or Fake URL. Make sure to replace these strings with the information specified by your security team. The idea is to obfuscate company and server information.

The http header Referrer-Policy: Strict-Origin will not allow an HTTP referrer header to be sent to an HTTP request, only HTTPS.

add rewrite action REW_ACT-REFERRER_POLICY insert_http_header Referrer-Policy "\"STRICT-ORIGIN\""add rewrite policy REW_POL-REFERRER_POLICY TRUE REW_ACT-REFERRER_POLICY

Expect-CT enforces a max age of 30 seconds for Certificate Transparency information. This relates to Google Chrome and has been a standard since October 2017.

add rewrite action REW_ACT-EXPECT_CT insert_http_header Expect-CT q/"\"enforce,max-age=30\""/add rewrite policy REW_POL-EXPECT_CT TRUE REW_ACT-EXPECT_CT

Modifying the frame hardens the http header to help mitigate XSS attacks by controlling what types of content is allowed to be loaded on the site. Frame-Ancestors is the predecessor to X-Frame-Options and is not accepted or utilized by some newer browsers.

add rewrite action REW_ACT-CONTENT_SECURITY_POLICY insert_http_header Content-Security-Policy "\"frame-ancestors \'self\'\""add rewrite policy REW_POL-CONTENT_SECURITY_POLICY TRUE REW_ACT-CONTENT_SECURITY_POLICY

Setting the http header to nosniff prevents the browser from doing content and/or MIME-type sniffing. This helps mitigate MIME confusion attacks and unauthorized hotlinking.

add rewrite action REW_ACT-X_CONTENT_TYPE_OPTIONS insert_http_header X-Content-Type-Options "\"nosniff\""add rewrite policy REW_POL-X_CONTENT_TYPE_OPTIONS TRUE REW_ACT-X_CONTENT_TYPE_OPTIONS

Setting X-XSS-Protection to 1 will enable a filter and instruct the browser to sanitize the page if an XSS attack is detected. Mode=Block causes the browser to prevent the rendering of the page entirely rather than simply sanitizing the page.

add rewrite action REW_ACT-X_XSS_PROTECTION insert_http_header X-Xss-Protection "\"1; mode=block\""add rewrite policy REW_POL-X_XSS_PROTECTION TRUE REW_ACT-X_XSS_PROTECTION

The following section deletes the X-Powered-By header details. This makes targeted attacks more challenging because the attacker will not be provided with valid header information from and about the queried website.

add rewrite action REW_ACT-DELETE_X-POWERED-BY delete_http_header X-Powered-Byadd rewrite policy REW_POL-DELETE_X-POWERED-BY TRUE REW_ACT-DELETE_X-POWERED-BY

The following section removed the server http header details. This makes targeted attacks more challenging because the attacker will not be provided with valid information from the quarried website.

add rewrite action REW_ACT-DELETE_SERVER delete_http_header Serveradd rewrite policy REW_POL-DELETE_SERVER TRUE REW_ACT-DELETE_SERVER

A Permissions-Policy was a recent addition to web security and is now a standard on new website deployments. We will also replace FAKE URL with whatever your security team wishes to specify for a URL. The URL information is not important and can be blank.

add rewrite action REW_ACT-PERMISSIONS_POLICY insert_http_header Permissions-Policy q{"geolocation=(self \"https://FAKE URL.com\")"}add rewrite policy REW_POL-PERMISSIONS_POLICY TRUE REW_ACT-PERMISSIONS_POLICY

This section modifies the http header to update the default x-powered-by section to add fake information. Leaving the default allows a potential attacker to target attacks based on this information. (Please note, you should replace Fake Name with whatever you want. In this case, Fake Name is not important and can be left blank.)

add rewrite action REW_ACT-X-POWERED-BY insert_http_header X-Powered-By "\"Fake Name\""add rewrite policy REW_POL-X-POWERED-BY TRUE REW_ACT-X-POWERED-BY

This modifies the server section of the HTTP header to add a fake name. (Please note, you should replace Fake Name with whatever you want. In this case, Fake Name is not important and can be left blank.)

add rewrite action REW_ACT-SERVER insert_http_header Server "\"Fake Name\""add rewrite policy REW_POL-SERVER TRUE REW_ACT-SERVER

You should run each command individually for easier troubleshooting. Look for Done after each line. If there is a failure creating the rewrite action or the corresponding rewrite policy, remove that item and try again after determining what went wrong.

Check in the ADC UI. Navigate to AppExpert → Rewrite → Policies and Actions. There should be 10 new Rewrite Policies and 10 new Rewrite Actions in each section.

Navigate to AppExpert → Rewrite → Rewrite Policies and select Policy Manager. Change the Bind Point to VPN Virtual Server, change the Connection Type to Response, and change the Virtual Server to your Gateway (GW-17 in my case).

Bind all your newly created Rewrite Policies to your Citrix Gateway. Make sure all the GOTOEXPRESSIONS have NEXT. The final GOTOEXPRESSION should have END. An earlier END causes the Gateway to ignore any further expressions.

Clear the ADC cache by running the following command in the CLI: flush cache contentgroup loginstaticobjects.

Wait a few minutes and test again. You should get the following report summary.

Your Rewrite Policies will be bound to the Gateway and are accessible in Citrix Gateway → Virtual Servers → Server Name → Policies → Response Policies → Rewrite Policies.

Congratulations, you now score an A+ at securityheaders.com! You have done your part to mitigate against XSS attacks, clickjacking, code injection, and targeted attacks in a way that is transparent to your user base.

Troubleshooting (Or Why Didn’t I Score an A+?)

Securityheaders.com may have added or changed scan criteria. Review the scan results and messages indicating why your score was not an A+ for further troubleshooting.

If your score did not change after applying your Rewrite Policies, make sure to check that they are applied as Response policies on the Gateway and verify that the GOTOEXPRESSION is NEXT for all but the last policy, which should have END.

The topics I covered in this blog post will help you to enhance the security posture of your NetScaler ADC and Gateway. Learn more in our Configure Cookies, Headers, and Polling documentation.