Layer7 API Management

  • 1.  OWASP Secure Headers

    Posted May 24, 2018 04:45 AM

    Has anyone implemented OWASP Headers using the gateway

     

    OWASP Secure Headers Project - OWASP 

     

    The available threat protection policies can be utilized ,but do they set any context variable as well which can be utilized for setting the OWASP Secure Headers?

    What is the best way to this if i have to say add Content-Security-Policy OWASP Header for API Gateway?

     

    Regards,

    Sonalee Shyam



  • 2.  Re: OWASP Secure Headers

    Posted May 30, 2018 06:03 AM

    Can someone please help with the above?



  • 3.  Re: OWASP Secure Headers
    Best Answer

    Posted Jun 05, 2018 01:44 PM

    We have a fairly small API GW setup right now, but use a Global Policy to return some common secure headers that all endpoints require. For example, HSTS and some others are required for every service.

     

    Just added the Manage Transport Properties to add/replace the response headers with what we want to ensure it's always set to the required value.

     

    Manage Transport Properties/Headers Assertion - CA API Gateway - 9.3 - CA Technologies Documentation 

     

    For ones that need additional, or custom headers not in the standard list we use, then we either add it straight into their policy and just return what is needed (such as content-security-policy will often vary depending on the app) or an included policy fragment if there's a common set across multiple services.