Delete the X-Bluecoat-Via Header on your ProxySG

It is part of security practice to restrict information about your internal network from being exposed. It is part of the RFC and thus mandatory for a Proxy Server to insert an X-Bluecoat-Via header so as to advise the receiving server that the request has been proxied. Most likely, this was done so that the server could be notified that a proxy server was used, but in recent times applications are usually proxy-aware and the server does not need this information (and likely this feature was never used.

It is considered best practice to remove information that would inform a potential attacker about what systems you are using. This HTTP header is sending a information about the vendor of your security appliance and should be suppressed.

You mist want to review this article on how to insert the configuration into your system


<Proxy>
action.xvia(yes)
define action xvia
delete( request.header.X-BlueCoat-Via )
end

Edit: Thanks to Andrew Thomas who points out the following:
The purpose of the X-Bluecoat-Via header is to allow bluecoat devices to sense and deal with forwarding loops i.e. if a bluecoat sees itís own header in an incoming request it knows that something has gone wrong with forwarding and the request should be dropped.

Clipping these headers off your requests at the edge of your network is a good idea, but care should be taken before removing these headers from proxies which arenít the last device in a proxy chain.

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • Andrew Thomas

    The purpose of the X-Bluecoat-Via header is to allow bluecoat devices to sense and deal with forwarding loops i.e. if a bluecoat sees it’s own header in an incoming request it knows that something has gone wrong with forwarding and the request should be dropped.
    Clipping these headers off your requests at the edge of your network is a good idea, but care should be taken before removing these headers from proxies which aren’t the last device in a proxy chain.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.