Kemal B. Bickici keburak
keburak
/ netscaler-pentest-add-header-sample.txt
Created
September 17, 2020 13:59
netscaler Strict-Transport-Security , X-Frame-Options , X-Xss-Protection , CORS policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ------------------------------------------------------------------------------------------------------ | |
| #add x-frame-options header | |
| add rewrite action act_insert_XFrame_header insert_http_header X-Frame-Options "\"SAMEORIGIN\"" | |
| add rewrite policy pol_enforce_XFrame TRUE act_insert_XFrame_header | |
| ------------------------------------------------------------------------------------------------------ | |
| #add HSTS header | |
| add rewrite action act_insert_HSTS_header insert_http_header Strict-Transport-Security "\"max-age=157680000; includeSubDomains; preload\"" | |
| add rewrite policy pol_enforce_HSTS TRUE act_insert_HSTS_header | |
| ------------------------------------------------------------------------------------------------------ | |
| #add x-xss-protection header |
keburak
/ netscaler-multiple-cors-pol.txt
Last active
September 17, 2020 13:48
netscaler-multiple-cors-pol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| add policy patset CORS_origins_allowed | |
| bind policy patset CORS_origins_allowed .domain.com -index 1 | |
| bind policy patset CORS_origins_allowed .domain.com -index 2 | |
| add responder action CORS_deny_response respondwith q{"HTTP/1.0 401 Unauthorized CORS\r\n\r\n"} -bypassSafetyCheck YES | |
| add responder policy CORS_origin_denied "HTTP.REQ.HEADER(\"Origin\").EXISTS&&HTTP.REQ.HEADER(\"Origin\").TYPECAST_HTTP_URL_T.HOSTNAME.CONTAINS_ANY(\"CORS_origins_allowed\").NOT" CORS_deny_response |