HTTP/S Proxy Header Injection/Manipulation

Hi Guys,

A technique that doesn't appear to be very well known with Watchguard's is the ability to strip HTTP Response headers from a server that is published to the world when using a Server Based Proxy Rule.

The benefits of this being to remove server versions and other identifying markers before the client receives the packets. If possible I would like to see this further enhanced with the ability to modify or inject headers into the response.

e.g We have a web application that doesn't allow manipulation of response headers due to the way it was created. If we could inject headers into it from the Firewall level we could implement things such as:

X-Content-Type-Options: Nosniff
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
Referrer-Policy: same-origin
X-Permitted-Cross-Domain-Policies: none
X-Frame-Options: SAMEORIGIN

Hopefully this is something that could be considered, if it is at all technically possible?

Dave.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Dave,

    Instead of using strip, you should be able to use Replace to put something else in the response, if you'd like.

    All options for building a proxy action are here:
    (Add, Change, or Delete Rules)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/rules_add_simple_c.html

    -James Carson
    WatchGuard Customer Support

  • edited November 2021

    Hi James,

    Thanks for your update.

    The options for Replace is only possible in the SMTP Proxy. There no option for this in the HTTP or HTTPS proxies.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Dave,

    Thanks for the reply. My fault for not catching that.

    I'll see if I can find out why that's not an option there and get back to you.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DaveDave
    There is an existing feature request for this -- FBX-16691.

    There isn't an ETA on that feature request, so I don't have any information to provide on if/when it might be implemented.

    The replace option is in the SMTP proxy specifically to masquerade email addresses (usually from an internal domain to an external one.)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.