Application Gateway HTTP header settings

Question

There are some security concerns flagged out on my application which is hosted on Application gateway and asked to implement. Appreciate if someone can advise how to fix below 4 pointers at application Gateway.

1. No Concurrent Session Control Implemented - The web application permits users to be logged in and active from multiple devices at the same time. While this is necessary functionality for some web applications, it can present a vulnerability if users leave multiple devices logged in and unlocked. Additionally, any attacker who has gained access to a user's account (Mitre TTP T1078) would be able to make use of the web application without alerting the legitimate user that they are doing so. During the assessment, it was possible to open the web application using the same user account in two separate machines indicating the lack of concurrent session control.

    **Action** -   If practical for your web application, ensure that users are permitted to be logged in   and active from only one device at a time.
   

2. Unrestricted Upload of File with Dangerous Type - Threat actors often rely upon a user opening a malicious file in order to compromise an endpoint or application (Mitre TTP T1204/002 - User Execution: Malicious File). Dangerous file types include executable files, scripts, and documents with embedded macros. The tester was able to upload executable files (exe, bat) that can be used by an attacker in a remote code execution or privilege escalation attack. Compensating Controls: Cortex XDR

Action -  Block the upload of dangerous file types, including executable files, scripts, and documents with embedded macros.

3.    Use of Web Browser Cache Containing Sensitive Information - Cacheable HTTPS response - Medium - Websites not configured properly may allow browsers to cache sensitive information that can be retrieved by a threat actor and used to launch a more focused attack against an application (Mitre TTP T1592). This could lead to unauthorized access to the application impacting the confidentiality and integrity of the application data.

 

ATCS-418 - Security Features in Application Design: Implement server-side mitigation methods such as setting Configure a secure cache header [Cache-Control: no-store]

The no-store keyword was not used as seen in HTTP responses. The use of the no-store keyword instructs the browser cache to disable caching. This ensures that sensitive information is not inadvertently saved.

 Action - Implement server-side mitigation methods such as setting Configure a secure cache header [Cache-Control: no-store].

4.    Improper Restriction of Rendered UI Layers or Frames - Vulnerable to Clickjacking -

A user may input data or click-on a webpage element invisible or disguised as another element controlled by an attacker that causes the user to unwittingly download malware, visit a malicious web page, or input credentials or sensitive information (Mitre TTP T1189). This could lead to unauthorized access by the attacker to an application and/or the impacting of the confidentiality and integrity of data.

ATCS-418 - Security Features in Application Design: Implement server-side mitigation methods such as setting the secure header [X-Frame-Options: DENY or SAMEORIGIN].

X-Frame-Options: DENY is not seen in the HTTP response.

Action -  Implement server-side mitigation methods such as setting the secure header [X-Frame-Options: DENY or SAMEORIGIN].

Answer 1

Hi @AzurePro
1.  No Concurrent Session Control :

Azure Application Gateway supports session affinity feature to keep the user session on the same server, but it can't handle itself to enforce a "single device login" policy or session management directly. To achieve this, you need to implement session management and token-based authentication within your application backend to effectively manage user sessions across devices. 

2. Unrestricted Upload of File with Dangerous Type - 

In Application Gateway with Web Application Firewall feature, you can set up the WAF rules to block certain file extensions. You can Create a custom rule that inspects file uploads and blocks the certain file extensions like .exe, .bat, etc. 

Steps to configure the custom rule in WAF:

1. Navigate to your Application Gateway WAF policy in the Azure portal.
2. Under Custom Rules, create a rule to block dangerous file extensions:
   • Rule Name: BlockExecutableUploads
     • Priority: 100
       • Condition: Check RequestUri for file extensions (e.g., .*.(exe|bat|dll|ps1)$).
         • Action: Deny Traffic

Example:-

 3. Use of Web Browser Cache Containing Sensitive Information

In Azure Application Gateway, there's an option to rewrite headers to add the Cache-Control: no-store to http responses. Below are the steps to configure on the Application Gateway Rewrite rule.

1. Navigate to your Application Gateway in the Azure portal.
2. Under Rewrite Rules, create a rule to add the Cache-Control header:
   • Rule Name: AddCacheControlHeader
   • Action: Set response header
   • Header Name: Cache-Control
   • Header Value: no-store

4. Improper Restriction of Rendered UI Layers or Frames

Similar to the cache issue, this requires setting an additional response header. Again, using Application Gateway's rewrite rules to add X-Frame-Options: DENY.  Steps to add X-Frame Options to set Deny. Create a rewrite rule to add X-Frame-Options: DENY:

• Rule Name: AddXFrameOptionsHeader
• Action: Set response header
• Header Name: X-Frame-Options
• Header Value: DENY

---

I hope this has been helpful!

Your feedback is important so please take a moment to accept answers. If you still have questions, pleaslet us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.