AnsweredAssumed Answered

How to Prohibit Bypassing Web Agent

Question asked by Jim-Lundell-3M on May 4, 2018
Latest reply on May 7, 2018 by Ujwol Shrestha



I see three possible ways that might be used to ensure a web agent is never bypassed; thus, ensure a user cannot spoof headers at an app server.


I'm looking for wisdom/experience on each of these -- or possibly other methods I've not thought of.


1) IP Restriction


Pro: Simple to configure on IIS, etc.

Cons:  Can break production applications when new web servers/app servers are introduced.  Also, some apps like JBoss want to restrict app access always -- but allow direct access for admins.



2)  Client Certs



3) OFC -- encrypt responses consumed by applications


Pros: Get around hassles with IP Restriction and cert management.  Unless a "hacker" knew the strong session key, there's no way to spoof headers/cookies.

Cons: Custom code?  But our thinking is we could easily abstract this for our developers since CA provides most of what is needed.