You can add HTTP request headers to application requests to secure web applications. This topic describes how to define EnvoyFilter resources to add HTTP request headers.
Prerequisites
- An Alibaba Cloud Service Mesh (ASM) instance is created and a Container Service for Kubernetes cluster is added to the instance.
- The kubectl client is connected to the Container Service for Kubernetes cluster. For more information, see Use kubectl to connect to an ASM instance.
- Applications are deployed in the ASM instance. For more information, see Deploy applications in an ASM instance.
- Istio resources are defined. For more information, see Define Istio resources.
Background information
Open Web Application Security Project (OWASP) provides best practices and a coding
framework to describe how to use HTTP request headers to secure applications. The
following table describes basic HTTP request headers.
HTTP request header | Default value | Description |
---|---|---|
Content-Security-Policy | frame-ancestors none; | Prevents clickjacking attacks from other websites. |
X-XSS-Protection | 1; mode=block | Activates the cross-site scripting (XSS) filter (if it is available) of a browser so that the browser can stop rendering when any XSS attacks are detected. |
X-Content-Type-Options | Nosniff | Disables content sniffing of a browser. |
Referrer-Policy | no-referrer | Specifies to send no referrer information along with requests. |
X-Download-Options | noopen | Prevents old versions of Internet Explorer from allowing downloads to be automatically executed. |
X-DNS-Prefetch-Control | off | Disables DNS prefetching for external hyperlinks on webpages. |
Server | envoy | The server that generates the response. This HTTP header is automatically set by the Istio ingress gateway. |
X-Powered-by | N/A | Contains information about the hosting environments or other frameworks. Do not set this HTTP header if you want to hide the name and version information of vulnerable application servers. |
Feature-Policy |
camera 'none'; microphone 'none'; geolocation 'none'; encrypted-media 'none'; payment 'none'; speaker 'none'; usb 'none'; |
Specifies the features and operations that are available to browsers. |
This topic takes the Bookinfo application as an example. For more information, see
Deploy applications in an ASM instance. You can run the curl command to query the HTTP request headers of the application.
curl -I http://{IP address of the ingress gateway service}/productpage
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5183
server: istio-envoy
date: Tue, 28 Jan 2020 08:15:21 GMT
x-envoy-upstream-service-time: 28
The command output indicates that requests from the application homepage does not contain any HTTP headers described in Table 1. You can define an EnvoyFilter resource to quickly add secure HTTP headers to application requests.