Web Server HTTP Header Information Disclosure

Question

Hello everyone, 
 I have a question regarding the usage of the command 'set http_proxy add_via_header off' in the CLI. We currently have a website and multiple host services, and we are considering disabling HTTP header information disclosure by request. However, before making this change, I wanted to inquire if there could be any potential effects on our services or other applications. 
 Would using the 'set http_proxy add_via_header off' command in the CLI have any unintended consequences or impact on our website and host services? 
 Thank you for your assistance!"

Michael Dunn · Accepted Answer

The via header is most frequently used to track when a request has to go through multiple proxies to get external. It is informational and while it does "leak" information it is not considered particularly dangerous. Please note that this header is added by the web proxy for browsers behind the firewall accessing websites on the internet. It is not added if you are using the DPI engine. It is not added for WAF (Web Application Firewall) for web servers that you are hosting. You can safely disable this, and can turn it back on at any time.

Michael Dunn · Answer

I'm not entirely sure what you mean by safe mode / rollback. If you upgrade from one version to another, you can roll back to the old version. XG has two partitions and can have two versions at a time. You would also be booting back to the old database. For normal configuration changes, there is no rollback.

emmosophos · Answer

Hello, 
 Thank you for contacting the Sophos Community. 
 It would depend on your requirements and security considerations and if you have any compliance or auditions. 
 If you disable it, you&rsquo;ll lose, or the server will lose information about the path a request has followed to your server, making it less easy for your network team to troubleshoot issues. Since the header is gone, and if there are different ways to get to your server other than the WAF, you won&rsquo;t know the difference in the request. 
 I will recommend you to check with your Security team about the implications of disabling it, as they would have a better understanding of what additional consequences disabling this check could cause to your servers. 
 Regards,

Web Server HTTP Header Information Disclosure

Top Replies