![]() ![]() receiver:///Citrix/Store/clientAssistant/reportDetectionStatusĬitrix’ new default CSP header is adding their well known client-applications like Secure Access, the older one called Gateway-Plugin, EPA and also third-party like the VMware Horizon View client – But they forgot their own mostly used client engine – the Citrix Workspace App! That’s because I’ve added receiver://* to the list of acceptable clients.There are three requests (initiated by jQuery) to StoreFront, which are responsible for the detection and are processed in the following sequence: The report is based on an actual 13.0 build: This is how the report looks like for a typically default Citrix Gateway vServer – it doesn’t matter if linked to an authentication Profile with AAA vServer – or used directly with basic authentication. Don’t be impatient and bring some time for this topic. See below why I wouldn’t recommend the default setting.įirst an important note when you’re experimenting with the following headers (eg binding and unbinding new rewrite policies) is cache, cache and cache! You can use ADC’s command flush cache contentgroup loginstaticobjects but the scanning pages like securityheaders or Mozilla’s Observatory are also using cached results. The command is enabling an aaa parameter, which is also effective for Gateway vServer. Starting from Citrix ADC release 13.0 build 76.29, the Content-Security-Policy (CSP) response header is supported for Citrix Gateway and AAA vServer-generated responses. ![]() I want to give you some insights when it comes to configure your headers for a Citrix ADC setup, when using a Gateway vServer with (aka advanced auth) and without (aka basic auth) AAA. The easiest way to verify your results is using (formerly securityheaders.io) That’s why I’m often jumping into discussions with customers CISO. A part of most of todays pentest tools is scanning these headers and grading into a list. Security Headers are http header, which set additional limitations for a overall higher security when it comes to common attack mechanisms like Cross Site Scripting (XSS), Clickjacking or MIME-Sniffing. Differences when using AAA without Gateway.StoreFront Receiver / Workspace App client detection. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |