Deny access to resource based on HTTP Headers

In this blog I will describe how to configure the Citrix NetScaler to deny access to an resource based on HTTP Headers. This often will be used to deny access to an website for particular web browsers/devices.

Deny access to resource based on HTTP Headers

A few days ago an customer asked me if it was possible to decline access to an back-end server from the Internet for every device besides the iPad/iPhone with an installed app from the builder. So only the app should have access to the back-end server.

I realized this by using the Content Switching feature in the NetScaler. As conditions I used:

HTTP.REQ.HOSTNAME.CONTAINS(“URL”) && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“iPad”) &&
HTTP.REQ.HOSTNAME.CONTAINS(“URL”) && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Safari”).NOT ||
HTTP.REQ.HOSTNAME.CONTAINS(“URL”) && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“iPhone”) &&
HTTP.REQ.HOSTNAME.CONTAINS(“URL”) && HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Safari”).NOT

On Apple ios the User-Agent from Safari and Google Chrome both are Safari, so in this case this would be enough.

Ofcourse when somebody uses an tool to fake HTTP Headers they still get access, but at least it’s something.

Another option is to configure AAA for not Apple ios devices and app users to use the web functionality of the application.

Sources: https://developer.chrome.com/multidevice/user-agent

Share on Facebook0Share on LinkedIn0Tweet about this on TwitterEmail this to someone

Leave a Reply

Your email address will not be published. Required fields are marked *