Scoring an A+ In Securityheaders.io
At the moment we all know how to score an A+ in ssllabs.com for our NetScaler Gateway but can we also score an A+ on securityheaders.io?
My test environment currently has this score on ssllabs.com
And this score on securityheaders.io
As you can see I already did some preparations before this post. 😉
To configure the headers on your vServer add them as rewrite policies:
add rewrite action RA_Insert_STS_Header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite action RA_Insert_XSS_Header insert_http_header X-Xss-Protection "\"1;mode=block\""
add rewrite action RA_Insert_XContent_Header insert_http_header X-Content-Type-Options "\"nosniff\""
add rewrite action RA_Insert_Referrer_Header insert_http_header Referrer-Policy "\"SAME-ORIGIN\""
add rewrite action RA_Insert_X_Frame_Header insert_http_header X-Frame-Options "\"SAMEORIGIN\""
add rewrite action RA_Insert_Expect_CT_Header insert_http_header Expect-CT "\"enforce,max-age=30\""
add rewrite policy RP_Enforce_STS TRUE RA_Insert_STS_Header
add rewrite policy RP_Enforce_Referrer TRUE RA_Insert_Referrer_Header
add rewrite policy RP_Enforce_XSS_Header TRUE RA_Insert_XSS_Header
add rewrite policy RP_Enforce_XContent_Header TRUE RA_Insert_XContent_Header
add rewrite policy RP_Enforce_X_Frame TRUE RA_Insert_X_Frame_Header
add rewrite policy RP_Enforce_Expect_CT TRUE RA_Insert_Expect_CT_Header
No rocket science in here 😉 But how to get that Content-Security-Policy green.
First we need to understand what the CSP is doing. There is a nice website explaining this: https://content-security-policy.com/
Done reading? So you now know what it is and what it is doing? Great.
To keep this blog post short. You aren’t getting an A+ score on your NetScaler Gateway vip if you enable CSP the correct way. But the best setting for me at the moment is the following:
add rewrite action RA_Insert_Content-Security-Policy insert_http_header Content-Security-Policy "\"default-src 'self' ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' 'unsafe-eval';\""
add rewrite policy RP_Enforce_Content-Security-Policy TRUE RA_Insert_Content-Security-Policy
If you bind this to you NetScaler Gateway vServer the results would look like this:
It’s not an A+ but only an A. But this is a correct Content-Security-Policy. And I think you should not read further but implement this.
You do get this warning, but we can “safely” ignore this as Citrix is a security company 😉 Or isn’t????
Scoring the A+ for a content switch or a loadbalancer hosting some websites isn’t that hard. You just have to figure out the correct CSP. But for the NetScaler Gateway seems impossible.
If we bind this simple, but correct, CSP the whole CSS markup of the NetScaler Gateway page is gone.
<span>add rewrite action RA_Insert_Content-Security-Policy insert_http_header Content-Security-Policy "\"default-src 'self';\""</span>
If I bind an empty CSP to my NetScaler Gateway I do get my A+ score and the site is still working. Offcourse this is not a working CSP header but my OCD can sleep now 😉
add rewrite action RA_Insert_Content-Security-Policy insert_http_header Content-Security-Policy "\"\""
As long as Citrix implements “unsafe-inline” and “unsafe-eval” scripts in the Gateway we could not get it to work properly.
Update 27-11-2017: I’ve added the new Expect-CT header. For more information about this new header: https://scotthelme.co.uk/a-new-security-header-expect-ct/