cancel
Showing results for 
Search instead for 
Did you mean: 
petr.herman
Level 7

improper default headers in MWG7

can anybody tell me why MWG7 use in proxy -> web server communication by default headers like Via or X-Forwarded-For?

There are offten written an sensitive data as the local client IP, the version and build of MWG...

It is suitable only for proxy -> next-hop proxy communication and that way of usage seems to me obsolete and mainly dangerous.

I know there is an easy way how to remove but the default behaviour should be other.

btw. I know some applications which have a problem with these headers, e.g. login window at https://www.ispop.cz, top right-hand corner...

Best regards

Petr

on 1/25/11 11:47:28 AM CET

on 1/25/11 11:48:09 AM CET
0 Kudos
1 Reply
asabban
Level 17

Re: improper default headers in MWG7

Hello Petr,

as you stated you should be able to easily remove those headers with the Event "Header.RemoveAll" and omit X-Forwarded-For and/or Via as the parameters for the Event. This will strip off the headers.

I think this behaviour is somehow default. As far as I can tell other Proxy solutions are working the same way out of the box without touching the configuration. I think after all it is easier to remove those headers for those customers who want to remove then instead of adding them if they are required.

As you stated this may be required in Proxy chain environments. I am not sure if we should change the default behaviour, however this should definitely documented in a better way, as it is not really obvious to the users.

In case you want to submit your request, please refer to

http://www.securecomputing.com/index.cfm?skey=1171

where you can file feature requests which will then be discussed and probably considered by Product Management.

Please let me know in case you need help to remove those headers.

Best,

Andre

0 Kudos