This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

security parameters in header

Posted on 12-07-2023 10:46 PM
giri_apigee
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Team,

We have a recent Pen test in our environment and we have been asked for the below changes from APIGEE.

  • 1)

It has been observed that the affected APIGEE APIs listed below were missing security response headers as per best practices.

The APIs was missing below headers.
• Missing: Content Security Policy (CSP)
• Missing: X-XSS Protection
• Missing: X-Frame Header
• Missing: Cache Control
• Misconfigured: Strict-Transport-Security

 

  • It was observed that the APIs were disclosing apache/coyote version through HTTPS response headers.

I have tried exploring but couldn't find any appropriate information.  Can you please advise if this can be done at individual proxy level or not by making some code change. In any case what are the changes to do and how can we achieve this. kindly advise.

ours is On premise installation of APIGEE

 

Solved Solved
0 3 422
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to giri_apigee
Reply posted on --/--/---- --:-- AM

IF this is the problem

The APIs was missing below headers.
• Missing: Content Security Policy (CSP)
• Missing: X-XSS Protection
• Missing: X-Frame Header
• Missing: Cache Control
• Misconfigured: Strict-Transport-Security

then, the way to address that is to use AssignMessage and insert those headers. You do that with AssignMessage configured like this:

 

 

<AssignMessage name='AM-Assign-Security-Headers'>
  <Set> 
    <Headers>
      <Header name='Strict-Transport-Security'>VALUE HERE</Header>
      <Header name='Cache-Control'>VALUE HERE</Header>
      <Header ....>
      ...
    </Headers>
  </Set>
</AssignMessage>

 

 

The VALUES of those headers is something that is up to you, your organization, and your security policies. For example, for the cache-control header, you will need to use values described here, in accordance with the requirements of your organization and your particular API. Is the result of your API cacheable? For how long? Only you know that.

And similarly for the other headers. Sadly there is no one "m4gic button" to just apply all the right values of these various HTTP headers. Not in Apigee, nor in any other platform or gateway. You have to design it the way you want, keeping in mind your specific requirements.

For THIS Problem

disclosing apache/coyote version through HTTPS response headers.

Probably you need to remove the server header from the response. You can do that like this:

 

 

<AssignMessage name='AM-Remove-Server-Header'>
  <Remove>
    <Headers>
      <Header name='Server'/>
      <Header name='X-powered-by'/>
    </Headers>
  </Remove>
</AssignMessage>

 

 

These AssignMessage policies need to be attached in the response flow, somewhere.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi - 

@giri_apigee wrote:

Can you please advise if this can be done at individual proxy level or not by making some code change. In any case what are the changes to do and how can we achieve this. kindly advise.

 

you don't specify which APIs you are examining. If these are your own APIs exposed by API Proxies that you define and configure, then... you can modify those proxies to conform to the security standards you require. 

You can do that with AssignMessage to modify the security headers. Attach it to a flowhook (via Shared Flow) to make it effective for all the APIS across your environment. 

Jump to Solution

Posted on --/--/---- --:-- AM
giri_apigee
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @dchiesa1 ,

Thanks for your feedback. Its a custom proxy built proxy only. 

The need is only for one proxy which PT was done for.  So AssignMessage  will do for both the points ( security response headers  &  apache/coyote version )right? 

Appreciate if you could share a line of code for one of the above. thank you. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to giri_apigee
Reply posted on --/--/---- --:-- AM

IF this is the problem

The APIs was missing below headers.
• Missing: Content Security Policy (CSP)
• Missing: X-XSS Protection
• Missing: X-Frame Header
• Missing: Cache Control
• Misconfigured: Strict-Transport-Security

then, the way to address that is to use AssignMessage and insert those headers. You do that with AssignMessage configured like this:

 

 

<AssignMessage name='AM-Assign-Security-Headers'>
  <Set> 
    <Headers>
      <Header name='Strict-Transport-Security'>VALUE HERE</Header>
      <Header name='Cache-Control'>VALUE HERE</Header>
      <Header ....>
      ...
    </Headers>
  </Set>
</AssignMessage>

 

 

The VALUES of those headers is something that is up to you, your organization, and your security policies. For example, for the cache-control header, you will need to use values described here, in accordance with the requirements of your organization and your particular API. Is the result of your API cacheable? For how long? Only you know that.

And similarly for the other headers. Sadly there is no one "m4gic button" to just apply all the right values of these various HTTP headers. Not in Apigee, nor in any other platform or gateway. You have to design it the way you want, keeping in mind your specific requirements.

For THIS Problem

disclosing apache/coyote version through HTTPS response headers.

Probably you need to remove the server header from the response. You can do that like this:

 

 

<AssignMessage name='AM-Remove-Server-Header'>
  <Remove>
    <Headers>
      <Header name='Server'/>
      <Header name='X-powered-by'/>
    </Headers>
  </Remove>
</AssignMessage>

 

 

These AssignMessage policies need to be attached in the response flow, somewhere.

Jump to Solution
0 Likes