Internal scan not seeing header response set in IIS after Cloudflare implementation

heath.a.knox · January 17, 2021, 5:25pm

We have an internal security scan that checks the valid headers we have set in IIS. If I run this through Access we do not see the results. If I remove Access service we see the proper values. Is there any way to make sure the headers set on the origin server in IIS present themselves when Access is added. the application owners get emails daily that the application is non-compliant daily, but we need Access for MFA.

without Access enabled

with access enabled

erictung · January 18, 2021, 1:51am

Maybe @SamRhea can take a look at it?

SamRhea · January 18, 2021, 11:14am

Hi @heath.a.knox - have you given your scanner a way to pass Cloudflare Access? Looks like it’s getting blocked by Access; you could provide it with a service token or bypass its IP if known for the test.

heath.a.knox · January 23, 2021, 3:47pm

I was able to get the worker working for headers, but now we are seeing cookies that are missing some values. We’d like to update the cookie in a worker and have that override the cookies from the origin. Below are the cookies we need to ADD the values at the end of the line in a worker

JSESSIONID=9E038B36D2C5F0757A086B55E5595A0B; Path=/; HttpOnly ADD-Secure

ApplicationGatewayAffinity=dcec2995d01b66c910bb7656957055c4bbea8f3f774649508c450938f74a3cfb;Path=/;Domain=generic-copy.creativedrive.com ADD-HttpOnly

ApplicationGatewayAffinity=dcec2995d01b66c910bb7656957055c4bbea8f3f774649508c450938f74a3cfb;Path=/;Domain=generic-copy.creativedrive.com ADD-Secure

ApplicationGatewayAffinityCORS=dcec2995d01b66c910bb7656957055c4bbea8f3f774649508c450938f74a3cfb;Path=/;Domain=generic-copy.creativedrive.com;SameSite=None;Secure ADD-HttpOnly

michael · January 23, 2021, 5:25pm

That would be much simpler to do on your Origin server, but is possible in Workers. A starting point is the Alter Headers worker example.

heath.a.knox · January 23, 2021, 8:12pm

Hello Michael,

I’m really a novice on this so I’m not sure where to actually add the cookie details. Does it matter?

async function handleRequest(request) { // Make the headers mutable by re-constructing the Request. request = new Request(request) request.headers.set(“x-my-header”, “custom value”) const URL = “https://examples.cloudflareworkers.com/demos/static/html”

// URL is set up to respond with dummy HTML let response = await fetch(URL, request)

// Make the headers mutable by re-constructing the Response. response = new Response(response.body, response) response.headers.set(“x-my-header”, “custom value”) return response}

addEventListener(“fetch”, event => { event.respondWith(handleRequest(event.request))})

Thanks

system · February 16, 2021, 5:25pm

This topic was automatically closed after 30 days. New replies are no longer allowed.