netscaler Strict-Transport-Security , X-Frame-Options , X-Xss-Protection , CORS policy

netscaler-pentest-add-header-sample.txt

------------------------------------------------------------------------------------------------------
#add x-frame-options header
add rewrite action act_insert_XFrame_header insert_http_header X-Frame-Options "\"SAMEORIGIN\""
add rewrite policy pol_enforce_XFrame TRUE act_insert_XFrame_header
------------------------------------------------------------------------------------------------------
#add HSTS header 
add rewrite action act_insert_HSTS_header insert_http_header Strict-Transport-Security "\"max-age=157680000; includeSubDomains; preload\""
add rewrite policy pol_enforce_HSTS TRUE act_insert_HSTS_header
------------------------------------------------------------------------------------------------------
#add x-xss-protection header
add rewrite action act_insert_XSS_header insert_http_header X-Xss-Protection "\"1; mode=block\""
add rewrite policy pol_enforce_XSS TRUE act_insert_XSS_header
------------------------------------------------------------------------------------------------------
#Cross-Origin Resource Sharing
add policy patset CORS_origins_allowed
bind policy patset CORS_origins_allowed .domain.com -index 1
bind policy patset CORS_origins_allowed .domain.com -index 2
add responder action CORS_deny_response respondwith q{"HTTP/1.0 401 Unauthorized CORS\r\n\r\n"} -bypassSafetyCheck YES
add responder policy CORS_origin_denied "HTTP.REQ.HEADER(\"Origin\").EXISTS&&HTTP.REQ.HEADER(\"Origin\").TYPECAST_HTTP_URL_T.HOSTNAME.CONTAINS_ANY(\"CORS_origins_allowed\").NOT" CORS_deny_response