What is strict HTTP validation and why is it recommended?

NetScaler provides customers with the option to restrict the nature of the incoming and outgoing HTTP traffic. Enabling strict HTTP validation will ensure that the customer’s NetScaler instance will only accept correctly formatted HTTP requests, while dropping all other requests.  

Strict HTTP validation will also ensure that responder policies that may have been setup to evaluate incoming HTTP traffic will operate as intended.

If a customer chooses to not enable strict HTTP validation, they should be aware that a client may be able to send incorrectly formatted HTTP traffic to the backend server.

Is strict HTTP validation enabled by default?

No, strict HTTP validation is not enabled by default on either an individual vServer or a global basis; either the nshttp_default_strict_validation HTTP profile or the relevant HTTP parameter, ‑dropInvalReqs, must be manually enabled on a global or per vServer basis before HTTP requests are evaluated for validity.

How can I check if strict HTTP validation has been configured?

From the NSCLI:

To verify which HTTP parameters have been set on a global level, use the following NSCLI command;

      show ns httpParam

If the NetScaler has been configured to drop invalid HTTP requests, the ‘Configured HTTP parameters’ output will show that ‘Drop invalid HTTP requests’ has a value of ‘ON’

For example:

Use the following command to verify which profile is bound to the vServer:

            show vserver <vserver name>

If the vServer is configured with the correct HTTP profile, the NSCLI output will contain the ‘nshttp_default_strict_validation’ in the ‘HTTP profile name:’ field.

From the Administration GUI:

To verify whether the NetScaler has been configured to drop invalid HTTP requests on a global basis, navigate to the ‘System’, ‘Settings’ section and select the ‘Change HTTP Parameters’ option. If enabled, the ‘Drop invalid HTTP requests’ option will be checked.

To verify whether this option has been enabled on specific vServers, open the properties of the vServer and verify that the ‘Profiles’ section of the ‘Advanced Settings’ contains ‘nshttp_default_strict_validation’.
If this is present, the profile has been enabled for that vServer.

How do I configure the policy?

More information on how to enable this policy can be found in the ‘HTTP Configurations’ section of the NetScaler Administrator’s Guide. For example, the location for NetScaler version 11 is below:
https://docs.citrix.com/en-us/netscaler/11/system/http-configurations.html

Customers wishing to configure the NetScaler appliance to drop invalid HTTP requests on a global basis can use the following NSCLI command:

Set ns httpParam –dropInvalReqs ENABLED

Other Information

It is possible that enabling this feature may have an impact on some custom applications that do not use standard HTTP fields. Citrix recommends that customers making this change ensure that it is sufficiently evaluated in a test environment prior to rolling out to a production environment.

How can I or my customer get more information?

Should you or your customer require additional details or guidance, please contact your normal Citrix Support representative.