Community Blog Use EnvoyFilter to Add HTTP Request Headers in ASM

Use EnvoyFilter to Add HTTP Request Headers in ASM

This article demonstrates how to use EnvoyFilter for adding HTTP request headers in Alibaba Cloud Service Mesh (ASM) to ensure application security.

By Wang Xining

This is the first edition in the ASM Extended Capabilities series, a collection of articles that describes some extended capabilities of Alibaba Cloud Service Mesh (ASM).


Secure HTTP request headers help improve web application security in a simple way. The Open Web Application Security Project (OWASP) provides the best practices and programming framework that explain how to use secure request headers to ensure application security, including basic settings described in the following table.

HTTP Header Default Security Setting Description
Content-Security-Policy frame-ancestors none; Prevents clickjacking attacks from other websites.
X-XSS-Protection 1; mode=block Activates the XSS filter of the browser if available and prevents rendering if XSS is detected.
X-Content-Type-Options Nosniff Disables the content type sniffing function of the browser.
Referrer-Policy no-referrer Disables automatic sending of the request header from the reference source.
X-Download-Options noopen Disables the automatic download feature of earlier Internet Explorer versions.
X-DNS-Prefetch-Control off Disables speculative DNS resolution for external links on the page.
Server envoy It is automatically configured by the Istio ingress gateway.
X-Powered-by This value is removed to hide the names and versions of potentially vulnerable application servers.
Feature-Policy camera 'none'; microphone 'none'; geolocation 'none'; encrypted-media 'none '; payment 'none'; speaker 'none'; usb 'none'; Controls the features and APIs that can be used in the browser.

Run the curl command to view the HTTP request header of the Bookinfo application, as shown in the following figure.

curl -I http://{IP address of the ingress gateway service}/productpage
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5183
server: istio-envoy
date: Tue, 28 Jan 2020 08:15:21 GMT
x-envoy-upstream-service-time: 28

The preceding security-related HTTP request headers are not included in the sample application homepage request by default.

Next, let's see how to use EnvoyFilter to add secure HTTP request headers in ASM.

Define EnvoyFilter

  • If no connection is established between kubectl and the ASM instance, configure one.
  • Run the following commands to deploy Istio EnvoyFilter:
apply -f - <apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
name: security-by-default-header-filter
listenerType: GATEWAY
filterType: HTTP
filterName: envoy.lua

1.    inlineCode: |
2.      function envoy_on_response(response_handle)
3.        function hasFrameAncestors(rh)
4.          s = rh:headers():get("Content-Security-Policy");
5.          delimiter = ";";
6.          defined = false;
7.          for match in (s..delimiter):gmatch("(.-)"..delimiter) do
8.            match = match:gsub("%s+", "");
9.            if match:sub(1, 15)=="frame-ancestors" then
10.              return true;
11.            end
12.          end
13.          return false;
14.        end
15.        if not response_handle:headers():get("Content-Security-Policy") then
16.          csp = "frame-ancestors none;";
17.          response_handle:headers():add("Content-Security-Policy", csp);
18.        elseif response_handle:headers():get("Content-Security-Policy") then
19.          if not hasFrameAncestors(response_handle) then
20.            csp = response_handle:headers():get("Content-Security-Policy");
21.            csp = csp .. ";frame-ancestors none;";
22.            response_handle:headers():replace("Content-Security-Policy", csp);
23.          end
24.        end
25.        if not response_handle:headers():get("X-Frame-Options") then
26.          response_handle:headers():add("X-Frame-Options", "deny");
27.        end
28.        if not response_handle:headers():get("X-XSS-Protection") then
29.          response_handle:headers():add("X-XSS-Protection", "1; mode=block");
30.        end
31.        if not response_handle:headers():get("X-Content-Type-Options") then
32.          response_handle:headers():add("X-Content-Type-Options", "nosniff");
33.        end
34.        if not response_handle:headers():get("Referrer-Policy") then
35.          response_handle:headers():add("Referrer-Policy", "no-referrer");
36.        end
37.        if not response_handle:headers():get("X-Download-Options") then
38.          response_handle:headers():add("X-Download-Options", "noopen");
39.        end
40.        if not response_handle:headers():get("X-DNS-Prefetch-Control") then
41.          response_handle:headers():add("X-DNS-Prefetch-Control", "off");
42.        end
43.        if not response_handle:headers():get("Feature-Policy") then
44.          response_handle:headers():add("Feature-Policy",
45.                                        "camera 'none';"..
46.                                        "microphone 'none';"..
47.                                        "geolocation 'none';"..
48.                                        "encrypted-media 'none';"..
49.                                        "payment 'none';"..
50.                                        "speaker 'none';"..
51.                                        "usb 'none';");
52.        end
53.        if response_handle:headers():get("X-Powered-By") then
54.          response_handle:headers():remove("X-Powered-By");
55.        end
56.      end 
  • The following output appears; which indicates that the filter is successfully deployed.
envoyfilter.networking.istio.io/security-by-default-header-filter created

Verify HTTP Request Headers

  • Run the curl command to check that secure HTTP request headers are added. The command output is as follows:
curl -I http://{IP address of the ingress gateway service}/productpage
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 4183
server: istio-envoy
date: Tue, 28 Jan 2020 09:07:01 GMT
x-envoy-upstream-service-time: 17
content-security-policy: frame-ancestors none;
x-frame-options: deny
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer
x-download-options: noopen
x-dns-prefetch-control: off
feature-policy: camera 'none';microphone 'none';geolocation 'none';encrypted-media 'none';payment 'none';speaker 'none';usb 'none';

The sample application homepage request contains the preceding security-related HTTP request headers.

The above demonstration shows a simple way to use EnvoyFilter to add HTTP request headers in ASM.

0 0 0
Share on

Xi Ning Wang(王夕宁)

56 posts | 8 followers

You may also like