Delete the X-Bluecoat-via Header on Your ProxySG
February 27, 2008 by Greg Ferro · 1 Comment
It is part of security practice to restrict information about your internal network from being exposed. It is part of the RFC and thus mandatory for a Proxy Server to insert an X-Bluecoat-Via header so as to advise the receiving server that the request has been proxied. Most likely, this was done so that the server could be notified that a proxy server was used, but in recent times applications are usually proxy-aware and the server does not need this information (and likely this feature was never used.
It is considered best practice to remove information that would inform a potential attacker about what systems you are using. This HTTP header is sending a information about the vendor of your security appliance and should be suppressed.
You mist want to review this article on how to insert the configuration into your system
<Proxy>
action.xvia(yes)
define action xvia
delete( request.header.X-BlueCoat-Via )
end
Edit: Thanks to Andrew Thomas who points out the following:
The purpose of the X-Bluecoat-Via header is to allow bluecoat devices to sense and deal with forwarding loops i.e. if a bluecoat sees it’s own header in an incoming request it knows that something has gone wrong with forwarding and the request should be dropped.
Clipping these headers off your requests at the edge of your network is a good idea, but care should be taken before removing these headers from proxies which aren’t the last device in a proxy chain.
Please rate this post:
Why Rate Posts?
(No Ratings Yet)
Loading ...Probably Related Posts on the Same Topic
Fast Introduction to SOCKS Proxy
Introduction
In the Blue Coat forums I often see people ask questions about SOCKS that show they haven’t taken the time to learn what it is. This is a fast introduction to what SOCKS is.
…
Checking Connectivity on Your Blue Coat ProxySG
A very simple tool in your Proxy SG to check that you can access resources. It only works for HTTP but it provides a good check. I use this a lot in networks where ICMP has been disabled for security.
Read the full articleInternets of Interest: 18th Sep
Collection of useful, relevant or inane places on the the Internets for 18th Sep:
Read the full articleSOCKS Clients That Are Available for Your Blue Coat ProxySG — Update
A short list of SOCKS Clients that I have used or know of
Note that many programs have their own SOCKS client built in, many FTP clients such as Filezilla, WS FTP, Firefox and so on have built in support. You really need a client when you have an application that must use a proxy server, but the application does not have proxy support.
…
Read the full article
The purpose of the X-Bluecoat-Via header is to allow bluecoat devices to sense and deal with forwarding loops i.e. if a bluecoat sees it’s own header in an incoming request it knows that something has gone wrong with forwarding and the request should be dropped.
Clipping these headers off your requests at the edge of your network is a good idea, but care should be taken before removing these headers from proxies which aren’t the last device in a proxy chain.