WatchGuard 11.1 firmware came out recently and it features a new security option: replacing HTTP headers. The firewall admin can maintain a set of approved HTTP headers. As web traffic flows thru the WatchGuard proxy, it inspects the packets, and removes header not in the list.
Certain websites may have an issue with this, such a websites that rely on non-standard HTTP headers. If that happens, the firewall admin has two choices. The non-standard headers can be added to the approved list. Alternatively, the website can be added to a proxy bypass list. Then the web traffic from this site bypasses the proxy rule altogether.
What risk is this control mitigating? Several HTTP attacks rely on host header manipulation or header injection. There are also web attacks that cram two or more HTTP responses into one TCP packet (HTTP response splitting). Both are thwarted by configuring the HTTP proxy in 11.1.
Is it worth the effort? Time will tell.
Posted by