Addition of new httpprofile parameter “allowOnlyWordCharactersAndHyphen”
Article ID: CTX469943
Updated On:
Description
The Citrix ADC appliance can now allow only word characters [A-Za-z0-9_] and hyphen [-] in the http request/response header names and if the request/response has any other characters in the header names the connection will be reset.
Resolution
Customers who are not willing to have this feature can disable this parameter from their http profile. However citrix recommends to have this parameter always enabled as per RFC standards
command to disable this parameter from cli:
set httpprofile <http_profile_name> -allowOnlyWordCharactersAndHyphen disabled
GUI settings:
To add new profiles go to : System-> Profiles ->HTTP Profiles->Add
To edit profiles go to : System -> Profiles ->HTTP Profiles->Edit
Change in Behaviour
A security fix was introduced in Netscaler build version 13.1-21.50. In this release, the newly added parameter is enabled by default in the following default HTTP profiles:
Further updates
However from NetScaler firmware versions 13.1-27.59 and later the default HTTP Profiles “nshttp_default_profile” and “nshttp_default_http_quic_profile” has this knob disabled, while profiles nshttp_default_strict_validation and nshttp_default_internal_apps has this knob enabled. The recommendation is to enable this newly added HTTP profile parameter so that NetScaler devices can enforce strict validation on the HTTP Header names. However if this breaks existing deployments / applications, this parameter can be turned off with the below command until the applications are modified / updated to use HTTP header names that includes only word characters [A-Za-z0-9_] and hyphen [-]
set httpprofile <http_profile_name> -allowOnlyWordCharactersAndHyphen disabled
command to disable this parameter from cli:
set httpprofile <http_profile_name> -allowOnlyWordCharactersAndHyphen disabled
GUI settings:
To add new profiles go to : System-> Profiles ->HTTP Profiles->Add
To edit profiles go to : System -> Profiles ->HTTP Profiles->Edit
Change in Behaviour
A security fix was introduced in Netscaler build version 13.1-21.50. In this release, the newly added parameter is enabled by default in the following default HTTP profiles:
- nshttp_default_profile,
- nshttp_default_strict_validation,
- nshttp_default_internal_apps
- nshttp_default_http_quic_profile.
Further updates
However from NetScaler firmware versions 13.1-27.59 and later the default HTTP Profiles “nshttp_default_profile” and “nshttp_default_http_quic_profile” has this knob disabled, while profiles nshttp_default_strict_validation and nshttp_default_internal_apps has this knob enabled. The recommendation is to enable this newly added HTTP profile parameter so that NetScaler devices can enforce strict validation on the HTTP Header names. However if this breaks existing deployments / applications, this parameter can be turned off with the below command until the applications are modified / updated to use HTTP header names that includes only word characters [A-Za-z0-9_] and hyphen [-]
set httpprofile <http_profile_name> -allowOnlyWordCharactersAndHyphen disabled
Was this article helpful?
Yes
No
Powered by
