This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

security parameters in header

Posted on 12-07-2023 10:46 PM
giri_apigee
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Team,

We have a recent Pen test in our environment and we have been asked for the below changes from APIGEE.

  • 1)

It has been observed that the affected APIGEE APIs listed below were missing security response headers as per best practices.

The APIs was missing below headers.
• Missing: Content Security Policy (CSP)
• Missing: X-XSS Protection
• Missing: X-Frame Header
• Missing: Cache Control
• Misconfigured: Strict-Transport-Security

 

  • It was observed that the APIs were disclosing apache/coyote version through HTTPS response headers.

I have tried exploring but couldn't find any appropriate information.  Can you please advise if this can be done at individual proxy level or not by making some code change. In any case what are the changes to do and how can we achieve this. kindly advise.

ours is On premise installation of APIGEE

 

Solved Solved
0 3 883
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to giri_apigee
Reply posted on --/--/---- --:-- AM

IF this is the problem

The APIs was missing below headers.
• Missing: Content Security Policy (CSP)
• Missing: X-XSS Protection
• Missing: X-Frame Header
• Missing: Cache Control
• Misconfigured: Strict-Transport-Security

then, the way to address that is to use AssignMessage and insert those headers. You do that with AssignMessage configured like this:

 

 

<AssignMessage name='AM-Assign-Security-Headers'>
  <Set> 
    <Headers>
      <Header name='Strict-Transport-Security'>VALUE HERE</Header>
      <Header name='Cache-Control'>VALUE HERE</Header>
      <Header ....>
      ...
    </Headers>
  </Set>
</AssignMessage>

 

 

The VALUES of those headers is something that is up to you, your organization, and your security policies. For example, for the cache-control header, you will need to use values described here, in accordance with the requirements of your organization and your particular API. Is the result of your API cacheable? For how long? Only you know that.

And similarly for the other headers. Sadly there is no one "m4gic button" to just apply all the right values of these various HTTP headers. Not in Apigee, nor in any other platform or gateway. You have to design it the way you want, keeping in mind your specific requirements.

For THIS Problem

disclosing apache/coyote version through HTTPS response headers.

Probably you need to remove the server header from the response. You can do that like this:

 

 

<AssignMessage name='AM-Remove-Server-Header'>
  <Remove>
    <Headers>
      <Header name='Server'/>
      <Header name='X-powered-by'/>
    </Headers>
  </Remove>
</AssignMessage>

 

 

These AssignMessage policies need to be attached in the response flow, somewhere.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3
Top Solution Authors
View all