Comments on: Scoring an A+ In Securityheaders.io

By: Mike

Mike — Wed, 06 Jan 2021 15:16:33 +0000

In reply to Mike.

This also could use an update in content to address similar reporting and header requirements in Bitsight since that’s what alot of companies are using now to track this kind of thing….

i did manage to get it up to an A by binding to the global default and not the global override so FYI for anyone if they run into same thing.

That being said. An A in Securityheaders.io doesn’t help me if the same config shows as “Fair” in bitsight

By: Mike

Mike — Mon, 04 Jan 2021 18:32:05 +0000

In reply to Jeroen. This aaa custom response link is broken. can we post the content here? I also notice that the content security policy doesn't work and when i use it as stated above, securityheaders.io shows it as not existing and gives me a B. any ideas?

By: Jeroen Tielen

Jeroen Tielen — Wed, 27 Jun 2018 15:21:13 +0000

In reply to Jason. Well tell your CSO that all fortune 500 companies are using the netscaler. If this was/is a security breach then it was already patch/known by Citrix. But what you can do is open a case by Citrix and let them come back with a decent answer ;)

By: Jason

Jason — Wed, 27 Jun 2018 15:16:31 +0000

In reply to Jeroen Tielen.

Apologies for the double comment. That’s too bad. We’re a payroll company and security is scrutinizing the unsafe-inline and unsafe-eval.

Thanks

By: Jeroen Tielen

Jeroen Tielen — Wed, 27 Jun 2018 14:04:33 +0000

In reply to Jason. Correct ;)

By: Jeroen Tielen

Jeroen Tielen — Wed, 27 Jun 2018 14:04:00 +0000

In reply to Jason. Hi Jason, is you are happy with the A and not A+ then yes keep those in the CSP.

By: Jason

Jason — Thu, 21 Jun 2018 13:47:25 +0000

As long as Citrix implements “unsafe-inline” and “unsafe-eval” scripts in the Gateway we could not get it to work properly.

Does that mean the CSP MUST have both unsafe-inline and unsafe-eval due to NetScaler Gateway? It doesn’t work without it? I can’t see to get it to work if I remove those items.

By: Jason

Jason — Wed, 20 Jun 2018 20:15:06 +0000

“As long as Citrix implements “unsafe-inline” and “unsafe-eval” scripts in the Gateway we could not get it to work properly”

Does this mean you must have “unsafe-inline” and “unsafe-eval” in your CSP? My Security group keeps bouncing back because it’s failing scans. If I remove both values from my NetScaler CSP, the hosted site breaks. I run 11.0/71.22. Thanks.

By: Jeroen

Jeroen — Mon, 30 Apr 2018 12:49:21 +0000

In reply to Bjron. Look at the whole report. There should be pointers in there.

By: Bjron

Bjron — Wed, 25 Apr 2018 10:05:30 +0000

Security Report Summary is showing “R” but all 6 headers are green. What might be the reason, its now showing A/A+?

By: Sebastiaan

Sebastiaan — Thu, 15 Mar 2018 15:55:25 +0000

I’m going to check out the blog post and try to bind them globally. Thanks.
Hopefully you figure it out quickly 🙂 and you can enjoy your evening.

-Sebastiaan

By: Jeroen

Jeroen — Thu, 15 Mar 2018 15:26:06 +0000

In reply to Sebastiaan.

In this blog post you find some more information. As you can’t bind the rewrite policies to an AAA vServer they will work if you bind them globally. Although they haven’t tested this on newer versions of the NetScaler. Now you have triggered me 😉 It’s gonna be a long night hahahaha. I will try to reproduce this myself.

https://discussions.citrix.com/topic/366082-netscaler-aaa-page-response-with-custom-header/