Difference between revisions of "Header filter"

From Secure Web Gateway
m (1 revision imported)
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
= Overview =
= Overview =


Here, you can control how the SafeSquid edits the HTTP header messages that pass between your browser and the Internet.
Control how the SafeSquid modifies the HTTP header messages exchanged between your Internet Clients like web browsers and the requested web service.


You can Increase internet usage privacy levels.
You can add a new header directive, delete a header directive or modify an existing header directive.


Control the client requests and web server responses.
The request and response headers are processed by this section before they are processed by the facility to rewrite headers in the Content Re-Write section.


You can add, delete or modify the Request and Response headers based on their content.
This section consists of 4 sub-sections – Global, Allow, Deny and Insert.  


Apart from allowing or denying request or response headers, you can also use Insert sub-section to add a new header or to modify them.
The processing of a request or a response, by this section is bypassed if the Global sub-section is set to False, and the policies in Allow / Deny / Insert thus become muted.  


This section analyzes:
The policies in the Insert section are processed after the policies in Allow / Deny lists.


Request header patterns that are passed from browsers to webservers.
Setting the Default Policy to Allow in the Global Sub-Section, permits all HTTP headers to be exchanged, unless there is a policy directive in the Deny List to prevent a header from being exchanged.
Similarly setting the Default policy to Deny shall block all non-mandatory HTTP headers from being exchanged, unless a policy in the Allow list, explicitly permits.


Response header patterns that are coming from webservers to clients.


== Global ==
== Global ==
Line 88: Line 89:


*'''CLIENT :''' This entry will be applied only for request headers, sent by the client.  
*'''CLIENT :''' This entry will be applied only for request headers, sent by the client.  
*'''SERVER : '''This entry will be applied only for response headers, sent by the server.  
*'''SERVER : '''This entry will be applied only for response headers, sent by the server.
 
=== Example ===
 
'''Rule#1'''
 
I want to allow websockets for connections which are profiled as “ALLOW WEBSOCKET”
 
This allow rule can be used in a situation where for all users connections to websockets are denied.
 
Using Allow rule we can allow websockets connections to a defined application/service and for a defined user-group.
[[File:Presentation1-headerAllow.png|left]]


== Deny ==
== Deny ==
Line 142: Line 154:


*'''CLIENT :''' This entry will be applied only for request headers, sent by the client.  
*'''CLIENT :''' This entry will be applied only for request headers, sent by the client.  
*'''SERVER : '''This entry will be applied only for response headers, sent by the server.  
*'''SERVER : '''This entry will be applied only for response headers, sent by the server.
 
=== Example ===
 
'''Rule#1'''
 
I want to deny all websocket connection using the request headers with header "websocket"
 
For connections with profile “REMOVE WEBSOCKETS” "websocket: upgrade" header will be removed from request headers, which will result in websocket connection to never be established.
[[File:Presentation1-headerdeny.png|left]]


== Insert ==
== Insert ==
Line 196: Line 217:


*'''CLIENT :''' This entry will be applied only for request headers, sent by the client.  
*'''CLIENT :''' This entry will be applied only for request headers, sent by the client.  
*'''SERVER : '''This entry will be applied only for response headers, sent by the server.  
*'''SERVER : '''This entry will be applied only for response headers, sent by the server.
 
=== Example ===
 
'''Rule#1'''
 
We want our users to use only our corporate google account.
 
When users try to login using his/her personal google account they should not be able to login.
 
Using the custom header in request X-GoogApps-Allowed-Domains we can specify which domains are to be allowed.
 
Make sure that the list includes the domain you registered with Google Workspace
[[File:Slide1-headerInsert.png|left]]
 
'''Rule#2'''
 
We allow our users to watch YouTube during lunch hours, however we do not want user to watch inappropriate contents.
 
We want to enforce YouTube strict mode for all users.
 
Using header insert we can insert custom header YouTube-Restrict: To set strict restricted access.
 
However as per google YouTube strict does not filter 100% of inappropriate contents.
[[File:Slide2-headerInsert.png|left]]


== View headers ==
== View headers ==

Latest revision as of 15:25, 5 January 2023

Overview

Control how the SafeSquid modifies the HTTP header messages exchanged between your Internet Clients like web browsers and the requested web service.

You can add a new header directive, delete a header directive or modify an existing header directive.

The request and response headers are processed by this section before they are processed by the facility to rewrite headers in the Content Re-Write section.

This section consists of 4 sub-sections – Global, Allow, Deny and Insert.

The processing of a request or a response, by this section is bypassed if the Global sub-section is set to False, and the policies in Allow / Deny / Insert thus become muted.

The policies in the Insert section are processed after the policies in Allow / Deny lists.

Setting the Default Policy to Allow in the Global Sub-Section, permits all HTTP headers to be exchanged, unless there is a policy directive in the Deny List to prevent a header from being exchanged.

Similarly setting the Default policy to Deny shall block all non-mandatory HTTP headers from being exchanged, unless a policy in the Allow list, explicitly permits.


Global

Header-global.jpg

Enabled

Enable or Disable header filter section.

  • TRUE : Enable header filter section.
  • FALSE : Disable header filter section.

Policy

Select the default action to take, when no matching entry for a requested header is found.

  • ALLOW : Allow everything Except rules defined under Deny subsection.
  • DENY : Deny everything Except rules defined under Allow subsection.

Allow

When the Policy is Deny, rules defined under this sub-section, are exclusively allowed access.

Here you can add a new allow entry, that would explicitly result in acceptance or allowance of header filter to all or specific set of conditions.

Header-allow.jpg

Enabled

Enable or Disable this entry

  • TRUE : Enable this entry
  • FALSE : Disable this entry

Comment

For documentation, and future references, explainthe relevance of this entry with your policies.

Profiles

Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (!profile).

Type

A regular expression matching the header type to which this entry applies to.

Headers are in the form of type and value.

Leave blank to Match everything.

Example : X-GoogApps-Allowed-Domains.

Value

A regular expression matching the header value's this entry applies to leave blank to match everything.

Leave blank to Match everything.

Example : text/html.

Applies to

This option is to select whether this entry applies to the server header, client header, or both.

  • CLIENT : This entry will be applied only for request headers, sent by the client.
  • SERVER : This entry will be applied only for response headers, sent by the server.

Example

Rule#1

I want to allow websockets for connections which are profiled as “ALLOW WEBSOCKET”

This allow rule can be used in a situation where for all users connections to websockets are denied.

Using Allow rule we can allow websockets connections to a defined application/service and for a defined user-group.

Presentation1-headerAllow.png

Deny

When the Policy is Allow, rules defined under this sub-section, are denied access exclusively.

Here you can add a new 'allow' entry, that would explicitly result in blocking or denial the header filter to all or specific set of conditions.

Header-deny.jpg

Enabled

Enable or Disable this entry

  • TRUE : Enable this entry
  • FALSE : Disable this entry

Comment

For documentation, and future references, explainthe relevance of this entry with your policies.

Profiles

Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (!profile).

Type

A regular expression matching the header type to which this entry applies to.

Headers are in the form of type and value.

Leave blank to Match everything.

Example: X-GoogApps-Allowed-Domains.

Value

A regular expression matching the header value's this entry applies to leave blank to match everything.

Leave blank to Match everything.

Example: text/html.

Applies to

This option is to select whether this entry applies to the server header, client header, or both.

  • CLIENT : This entry will be applied only for request headers, sent by the client.
  • SERVER : This entry will be applied only for response headers, sent by the server.

Example

Rule#1

I want to deny all websocket connection using the request headers with header "websocket"

For connections with profile “REMOVE WEBSOCKETS” "websocket: upgrade" header will be removed from request headers, which will result in websocket connection to never be established.

Presentation1-headerdeny.png

Insert

In this sub section you can add the rules to modify the request and response headers.

You can insert additional information in the headers sent by your browser.

Header-insert.jpg

Enabled

Enable or Disable this entry

  • TRUE : Enable this entry
  • FALSE : Disable this entry

Comment

For documentation, and future references, explainthe relevance of this entry with your policies.

Profiles

Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (!profile).

Type

A regular expression matching the header type to which this entry applies to.

Headers are in the form of type and value.

Leave blank to Match everything.

Example: X-GoogApps-Allowed-Domains.

Value

A regular expression matching the header value's this entry applies to leave blank to match everything.

Leave blank to Match everything.

Example: text/html.

Applies to

This option is to select whether this entry applies to the server header, client header, or both.

  • CLIENT : This entry will be applied only for request headers, sent by the client.
  • SERVER : This entry will be applied only for response headers, sent by the server.

Example

Rule#1

We want our users to use only our corporate google account.

When users try to login using his/her personal google account they should not be able to login.

Using the custom header in request X-GoogApps-Allowed-Domains we can specify which domains are to be allowed.

Make sure that the list includes the domain you registered with Google Workspace

Slide1-headerInsert.png

Rule#2

We allow our users to watch YouTube during lunch hours, however we do not want user to watch inappropriate contents.

We want to enforce YouTube strict mode for all users.

Using header insert we can insert custom header YouTube-Restrict: To set strict restricted access.

However as per google YouTube strict does not filter 100% of inappropriate contents.

Slide2-headerInsert.png

View headers

In this sub section you can find the example headers with type and values.

Unfiltered-header.jpg