HTTP/S Proxy Header Injection/Manipulation
Hi Guys,
A technique that doesn't appear to be very well known with Watchguard's is the ability to strip HTTP Response headers from a server that is published to the world when using a Server Based Proxy Rule.
The benefits of this being to remove server versions and other identifying markers before the client receives the packets. If possible I would like to see this further enhanced with the ability to modify or inject headers into the response.
e.g We have a web application that doesn't allow manipulation of response headers due to the way it was created. If we could inject headers into it from the Firewall level we could implement things such as:
X-Content-Type-Options: Nosniff
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
Referrer-Policy: same-origin
X-Permitted-Cross-Domain-Policies: none
X-Frame-Options: SAMEORIGIN
Hopefully this is something that could be considered, if it is at all technically possible?
Dave.
Comments
Hi Dave,
Instead of using strip, you should be able to use Replace to put something else in the response, if you'd like.
All options for building a proxy action are here:
(Add, Change, or Delete Rules)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/rules_add_simple_c.html
Hi James,
Thanks for your update.
The options for Replace is only possible in the SMTP Proxy. There no option for this in the HTTP or HTTPS proxies.
Hi Dave,
Thanks for the reply. My fault for not catching that.
I'll see if I can find out why that's not an option there and get back to you.
Hi @DaveDave
There is an existing feature request for this -- FBX-16691.
There isn't an ETA on that feature request, so I don't have any information to provide on if/when it might be implemented.
The replace option is in the SMTP proxy specifically to masquerade email addresses (usually from an internal domain to an external one.)