Skip to content

Latest commit

 

History

History
22 lines (18 loc) · 1.39 KB

README.md

File metadata and controls

22 lines (18 loc) · 1.39 KB
Raw

PoC nginx conditional headers

This project provides a proof of concept for unsetting HTTP-Headers based on the User-Agent using nginx

Prerequisites

  1. Install Docker
  2. Install Docker-Compose

Usage

  1. Start the containers: docker-compose up --build --force-recreate -d
  2. Use curl and look for the X-Frame-Options header:
    • curl -v -k -A "Firefox" https://localhost:8443 header should appear
    • curl -v -k -A "Safari" https://localhost:8443 header should not appear
    • curl -v -k -A "Safari: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15" https://localhost:8443 header should not appear
  3. Teadown the containers: docker-compose down

Inner Works

This PoC uses 2 containers:

  1. http-service: a simple http server that serves a page on port 80. For the purpose of this PoC it always sets the X-Frame-Options header.
  2. revproxy: An nginx reverse proxy that terminates TLS and sends http traffic off to http-service.

revproxy uses the Header More nginx module, speficially the more_clear_headers directive, in combination with the default if directive, to remove the X-Frame-Options header when the User-Agent contains "Safari".