Jump to content
Welcome to our new Citrix community!

Check if header is already set


Recommended Posts

We are setting some security headers like HSTS. The policy is working fine, although the auditors are complaining that some headers are set multiple times. I thought I have the right expression to prevent this, but it's not working. What expression should I use?

 

The current policy is: HTTP.RES.HEADER("Strict-Transport-Security").EXISTS.NOT.

 

However, if I set multiple headers with the same name they are all added so this is not working. Any idea's? 

Link to comment
Share on other sites

The HSTS header may also be inserted by your SSL Profile or SSL Parameters on the lb vserver/cs server/vpn vserver or at the service/service group level.

 

If using the ssl profile, then don't use the rewrite policy as well as the policy won't see the header is present. (But I don't think the ssl profile looks for duplicate headers either.)

So, if the ssl profile is in use, don't use the rewrite policy on those vservers.

 

If you have vserver/traffic that you aren't sure of, create an alternate ssl profile that doesn't set this flag, and then use your rewrite policies to apply the flag if it doesn't already exist.

 

 

 

 

Link to comment
Share on other sites

One other thought, if you have multiple rewrite policies inserting this header, then you will get duplicates as rewrite policy 2 can't see what rewrite policy 1 did on the same transaction.  Because all rewrites are evaluated at once (before any rewrites are performed, policy 2 can't look for a header that policy 1 inserts..because its not there yet.)

 

so 1) be sure you don't have both ssl profile/parameters and the rewrite policy both doing insertions.

and 2) be sure you don't have multiple rewrites trying to insert the same header on the same transaction.

 

Link to comment
Share on other sites

I had multiple rewrites so that explains some things. I know that this specific header can be set via an SSL profile, but indeed that is not checking if the header is already set.

 

The third header is inserted via the web server. Apparently, the NetScaler does not recognize this header either because just a new entry is added.

 

I just wanted to verify that my expression is correct: HTTP.RES.HEADER("Strict-Transport-Security").EXISTS.NOT

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...