Best pratice for http-proxy content types

Hello.
I've got a question about the content types in http-proxies to you.
What content types are save, that I can set it to allow? The result should be a well combination to maximum security with maximum performance.

For the moment I allow
application/xml
audio/*
font/*
image/*
message/*
multipart/*
text/*
application/x-rtsp-tunneled
application/pdf
application/x-javascript
application/httpd/*
httpd/*
application/oscp-response
application/json
application/*

Default value here is Scan.

Thanks in advance for your answers.

Regards

Dirk Emmermacher

Answers

  • I gave up trying to block most Content Types.
    I have a general allow list, based on the old WG defaults from years ago
    (WatchGuard recommended standard configuration for HTTP-Client with logging enabled).
    I allow everything else and AV scan them, with a few Deny exceptions.
    I haven't reviewed my settings for these in years.

    My deny exceptions:
    application/dns-message
    Java-1
    Java-2

    My allow list - with no AV scan on some of my HTTP proxy actions - others have no allowed non-AV scanned Content Types:
    text/*
    image/*
    audio/*
    application/pdf
    application/x-javascript
    application/x-shockwave-flash
    application/xml
    application/x-httpd-*
    application/httpd/*
    httpd/*
    application/x-rtsp-tunneled

  • Hello Bruce.
    Thanks for your answer. I followed your recommendation. I searched for this old Watchuard defaults. I don't found it. :(.

    Have a nice weekend and stay healthy

    Best regards from Germany

    Dirk

  • edited November 2020

    The only source that I know of for default settings are show on on a new policy, such as in Policy Manager.
    The current defaults have totally new names for the allowed content, most of them beginning with "All"

    My policies go way back, so I'm not sure when the changes were made for the new "All" defaults for Content Types

Sign In to comment.