Scoring an A+ In Securityheaders.io

Published by Jeroen Tielen on

At the moment we all know how to score an A+ in ssllabs.com for our NetScaler Gateway but can we also score an A+ on securityheaders.io?
My test environment currently has this score on ssllabs.com

And this score on securityheaders.io

As you can see I already did some preparations before this post. 😉

To configure the headers on your vServer add them as rewrite policies:

No rocket science in here 😉 But how to get that Content-Security-Policy green.

First we need to understand what the CSP is doing. There is a nice website explaining this: https://content-security-policy.com/
Done reading? So you now know what it is and what it is doing? Great.
To keep this blog post short. You aren’t getting an A+ score on your NetScaler Gateway vip if you enable CSP the correct way. But the best setting for me at the moment is the following:

If you bind this to you NetScaler Gateway vServer the results would look like this:

It’s not an A+ but only an A. But this is a correct Content-Security-Policy. And I think you should not read further but implement this.

You do get this warning, but we can “safely” ignore this as Citrix is a security company 😉 Or isn’t????

Scoring the A+ for a content switch or a loadbalancer hosting some websites isn’t that hard. You just have to figure out the correct CSP. But for the NetScaler Gateway seems impossible.

If we bind this simple, but correct, CSP the whole CSS markup of the NetScaler Gateway page is gone.

If I bind an empty CSP to my NetScaler Gateway I do get my A+ score and the site is still working. Offcourse this is not a working CSP header but my OCD can sleep now 😉

As long as Citrix implements “unsafe-inline” and “unsafe-eval” scripts in the Gateway we could not get it to work properly.

Update 27-11-2017: I’ve added the new Expect-CT header. For more information about this new header: https://scotthelme.co.uk/a-new-security-header-expect-ct/


Jeroen Tielen

Experienced Consultant/Architect with a demonstrated history of working in the information technology and services industry. Skilled in Citrix, Microsoft, VMware, Ivanti, etc.

15 Comments

Sebastiaan · March 15, 2018 at 14:23

Hi Jeroen,

Thanks for this great article. I applied the policies to our netscaler gateway and we now have an A+ too. I have one question though.
When I check our Authentication Virtual Servers, we use them for OWA, at securityheaders.io it looks like the headers are not detected. Although I did bind the rewrite policies to the LB VS. Any ideas on how I can check whether my policies are working?

Thanks.

-Sebastiaan

    Jeroen · March 15, 2018 at 15:11

    Hi Sebastiaan,

    Is there a content switch in front? And are you testing direct to the virtual server? Or are there redirects configured?

    Best regards, Jeroen.

      Sebastiaan · March 15, 2018 at 15:29

      Hi Jeroen,

      There is a content switch virtual server in front. webmail.domain.com is redirected tot login.domain.com at LB level.
      Thing is that I cannot bind rewrite policies to the Authentication Virtual Servers. Only to LB Virtual servers and CS Virtual Servers. I tried both but the result is the same. The website is graded with a D.
      I did check the Goto expression value. Next, next, next, end.

      -Sebastiaan

        Jeroen · March 15, 2018 at 16:05

        Hi Sebastiaan,

        Default securityheaders.io will follow redirects (checkbox below the url box). So in your case the test will be performed against login.domain.com.

        Jeroen.

Sebastiaan · March 15, 2018 at 16:12

Unchecking the follow redirects box leaves me with a grade R.
And all 5 header options are red. But it also shows a warning that says:
Warning: Grade capped at A, please see warnings below.

-Sebastiaan

Sebastiaan · March 15, 2018 at 16:55

I’m going to check out the blog post and try to bind them globally. Thanks.
Hopefully you figure it out quickly 🙂 and you can enjoy your evening.

-Sebastiaan

Bjron · April 25, 2018 at 11:05

Security Report Summary is showing “R” but all 6 headers are green. What might be the reason, its now showing A/A+?

    Jeroen · April 30, 2018 at 13:49

    Look at the whole report. There should be pointers in there.

Jason · June 20, 2018 at 21:15

“As long as Citrix implements “unsafe-inline” and “unsafe-eval” scripts in the Gateway we could not get it to work properly”

Does this mean you must have “unsafe-inline” and “unsafe-eval” in your CSP? My Security group keeps bouncing back because it’s failing scans. If I remove both values from my NetScaler CSP, the hosted site breaks. I run 11.0/71.22. Thanks.

    Jeroen Tielen · June 27, 2018 at 15:04

    Hi Jason, is you are happy with the A and not A+ then yes keep those in the CSP.

Jason · June 21, 2018 at 14:47

As long as Citrix implements “unsafe-inline” and “unsafe-eval” scripts in the Gateway we could not get it to work properly.

Does that mean the CSP MUST have both unsafe-inline and unsafe-eval due to NetScaler Gateway? It doesn’t work without it? I can’t see to get it to work if I remove those items.

    Jeroen Tielen · June 27, 2018 at 15:04

    Correct 😉

      Jason · June 27, 2018 at 16:16

      Apologies for the double comment. That’s too bad. We’re a payroll company and security is scrutinizing the unsafe-inline and unsafe-eval.

      Thanks

        Jeroen Tielen · June 27, 2018 at 16:21

        Well tell your CSO that all fortune 500 companies are using the netscaler. If this was/is a security breach then it was already patch/known by Citrix. But what you can do is open a case by Citrix and let them come back with a decent answer 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux