The Qualys scan on NetScaler Management IP  fails with message:
Q11827 HTTP Security Header Not Detected

The following is the excerpt from Scan report:

This QID reports the absence of the following HTTP headers (https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers) according to CWE-693: Protection Mechanism Failure (https://cwe.mitre.org/data/definitions/693.html):
X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page.
X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this functionality.
X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type.
Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks.
Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Points to Note

 

1. This is a generic template that is applicable across various NetScaler versions, some of these may not be needed on later versions, for version specific config, please review fiddler / dev-tool output while accessing NetScaler Management IP and apply the config in part two for the missing headers only.

2. Take System backup before making any changes.

3. Check GUI Access, API Based monitoring tools functionality  (NMAS, Command Center, any other) with NetScaler thoroughly after making these changes.

Part 1: Execute following command on Shell prompt to enable rewrite feature on Management IP, and to make the changes persistent across reboot (On both Primary and Secondary)
 
nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 
cd /nsconfig
echo nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> rc.netscaler
cat rc.netscaler | grep skip_systemaccess
 
Part 2: Exit from Shell and execute the following commands on > prompt (On primary only, these commands with sync on secondary)
 
Enable ns feature rewrite
add policy expression is_management_ip client.ip.dst.eq(SYS.NSIP) 

add rewrite action insert_x-xss-protection_act insert_http_header X-XSS-Protection "\"1; mode=block\""
add rewrite action insert_x-content-type-options_act insert_http_header X-Content-Type-Options "\"nosniff\""
add rewrite action insert_x-frame-options_act insert_http_header X-Frame-Options "\"SAMEORIGIN\""
add rewrite action insert_x-hsts-header_act insert_http_header Strict-Transport-Security "\"max-age=157680000; includeSubDomains\""
add rewrite action insert_CSP_act insert_http_header Content-Security-Policy "\"frame-ancestors \'self\'\""
 
add rewrite policy insert_x-xss-protection_pol "is_management_ip && http.RES.HEADER(\"X-XSS-Protection\").EXISTS.NOT" insert_x-xss-protection_act
add rewrite policy insert_x-content-type-options_pol "is_management_ip && http.RES.HEADER(\"X-Content-Type-Options\").EXISTS.NOT" insert_x-content-type-options_act
add rewrite policy insert_x-frame-options_pol "is_management_ip && http.RES.HEADER(\"X-Frame-Options\").EXISTS.NOT" insert_x-frame-options_act
add rewrite policy insert_x-hsts-header_pol "is_management_ip && http.RES.HEADER(\"Strict-Transport-Security\").EXISTS.NOT" insert_x-hsts-header_act
add rewrite policy insert_CSP_pol "is_management_ip && http.RES.HEADER(\"Content-Security-Policy\").EXISTS.NOT" insert_CSP_act 

#Note: The priority Nos below may have to be edited to not conflict with existing globally bound policies

bind rewrite global insert_x-xss-protection_pol 2 next -type RES_DEFAULT
bind rewrite global insert_x-content-type-options_pol 3 next -type RES_DEFAULT
bind rewrite global insert_x-frame-options_pol 4 next -type RES_DEFAULT
bind rewrite global insert_CSP_pol 5 next -type RES_DEFAULT
bind rewrite global insert_x-hsts-header_pol 6 next -type RES_DEFAULT

---

Problem Cause

Scan failed because of missing HTTP Headers.

The Qualys scan on NetScaler Management IP fails with message: Q11827 HTTP Security Header Not Detected