Changing Server Response Headers¶
The Change server response headers rule allows adding, deleting server response headers and changing its values.
This rule type is most often used to configure the additional layer of the application security, for example:
If your server does not return this header by default, it is recommended to add it by using the rule Change server response headers. In the MDN Web Docs, you can find descriptions of possible header values and header usage examples.
To change the NGINX header
Serveror any other header containing the data on installed module versions. This data can be potentially used by the attacker to discover vulnerabilities of installed module versions and as a result, to exploit discovered vulnerabilities.
The NGINX header
Servercan be changed starting with Wallarm node 2.16.
The rule Change server response headers can also be used to address any of your business and technical issues.
Creating and applying the rule¶
You can create and apply the rule both in the Attacks and Rules section of Wallarm Console.
In the Attacks section, rules are created with a pre-filled description of endpoints to apply the rule to. The endpoint description corresponds to the request you clicked the Rule button for.
To complete the rule setup, just select the rule action type and make sure all rule components are configured correctly.
In the Rules section, all rule components must be filled in manually.
To create and apply the rule in the Rules section:
Create the rule Change server response headers in the Rules section of Wallarm Console. The rule consists of the following components:
- Condition describes the endpoints to apply the rule to.
- Name of the header to be added or to replace its value.
New value of the specified header.
To delete an existing response header, please leave the value of this header on the Replace tab empty.
Wait for the rule compilation to complete.
Example: adding security policy header and its value¶
To allow all content of
https://example.com/* to come only from the site's origin, you can add the response header
Content-Security-Policy: default-src 'self' by using the rule Change server response headers as follows: