1 Reply Latest reply on Jan 25, 2011 4:51 AM by asabban

    improper default headers in MWG7

    petr.herman

      can anybody tell me why MWG7 use in proxy -> web server communication by default headers like Via or X-Forwarded-For?

       

      There are offten written an sensitive data as the local client IP, the version and build of MWG...

       

      It is suitable only for proxy -> next-hop proxy communication and that way of usage seems to me obsolete and mainly dangerous.

       

      I know there is an easy way how to remove but the default behaviour should be other.

       

      btw. I know some applications which have a problem with these headers, e.g. login window at https://www.ispop.cz, top right-hand corner...

       

       

      Best regards

      Petr

       

       

      on 1/25/11 11:47:28 AM CET

       

       

      on 1/25/11 11:48:09 AM CET
        • 1. Re: improper default headers in MWG7
          asabban

          Hello Petr,

           

          as you stated you should be able to easily remove those headers with the Event "Header.RemoveAll" and omit X-Forwarded-For and/or Via as the parameters for the Event. This will strip off the headers.

           

          I think this behaviour is somehow default. As far as I can tell other Proxy solutions are working the same way out of the box without touching the configuration. I think after all it is easier to remove those headers for those customers who want to remove then instead of adding them if they are required.

           

          As you stated this may be required in Proxy chain environments. I am not sure if we should change the default behaviour, however this should definitely documented in a better way, as it is not really obvious to the users.

           

          In case you want to submit your request, please refer to

           

          http://www.securecomputing.com/index.cfm?skey=1171

           

          where you can file feature requests which will then be discussed and probably considered by Product Management.

           

          Please let me know in case you need help to remove those headers.

           

          Best,

          Andre

          1 of 1 people found this helpful