Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server HTTP Header Information Disclosure

Hello everyone,

I have a question regarding the usage of the command 'set http_proxy add_via_header off' in the CLI. We currently have a website and multiple host services, and we are considering disabling HTTP header information disclosure by request. However, before making this change, I wanted to inquire if there could be any potential effects on our services or other applications.

Would using the 'set http_proxy add_via_header off' command in the CLI have any unintended consequences or impact on our website and host services?

Thank you for your assistance!"

This thread was automatically locked due to age.
  • Hello,

    Thank you for contacting the Sophos Community.

    It would depend on your requirements and security considerations and if you have any compliance or auditions.

    If you disable it, you’ll lose, or the server will lose information about the path a request has followed to your server, making it less easy for your network team to troubleshoot issues. Since the header is gone, and if there are different ways to get to your server other than the WAF, you won’t know the difference in the request.

    I will recommend you to check with your Security team about the implications of disabling it, as they would have a better understanding of what additional consequences disabling this check could cause to your servers.


    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you for your reply.

     If the need arises, would it be possible to turn this option back on? I want to ensure that I have a comprehensive understanding of its implications before making any adjustments.

  • The via header is most frequently used to track when a request has to go through multiple proxies to get external.  It is informational and while it does "leak" information it is not considered particularly dangerous.

    Please note that this header is added by the web proxy for browsers behind the firewall accessing websites on the internet.  It is not added if you are using the DPI engine.  It is not added for WAF (Web Application Firewall) for web servers that you are hosting.

    You can safely disable this, and can turn it back on at any time.

  • Thanks for your reply , 

    Is there a safe mode action on Sophos firewall for rollback? 

    for example Cisco has reboot as a command for rolling back and reloading, while Mikrotik has safe mode for rolling back. 

  • I'm not entirely sure what you mean by safe mode / rollback.

    If you upgrade from one version to another, you can roll back to the old version.  XG has two partitions and can have two versions at a time.  You would also be booting back to the old database.

    For normal configuration changes, there is no rollback.