HTTP Security headers for error pages

Bruno · September 13, 2018, 11:27am

Hello,

I’ve seen this article: Neatly bypassing CSP. And it appears that the error pages served by haproxy can be used to bypass some Content-Security-Policy rules.

It looks like it should be possible to customize the error from haproxy with the errorfile command, but it’s tedious to do that for each HTTP status code. Is it possible to add an HTTP header for all the error pages served by haproxy without having to edit the error for each status code?

And maybe the haproxy developpers should consider having X-Frame-Options: DENY by default for the error pages. I’m not sure, but it looks like a good default.

lukastribus · September 13, 2018, 2:23pm

We also have that problem with HSTS and other headers, and it’s not only error pages, http redirects are also affected:

https://www.mail-archive.com/haproxy@formilux.org/msg25061.html

https://www.mail-archive.com/haproxy@formilux.org/msg29294.html

https://www.mail-archive.com/haproxy@formilux.org/msg16156.html

This is something that is still on the todo list.

Topic		Replies	Views
Customize error page by haproxy Help!	2	1463	June 7, 2019
Can't get dynamic custom error pages to work (HAProxy 2.3.5 on RHEL 8) Help!	2	1619	April 17, 2021
Errorfile with conditions Help!	3	723	February 4, 2021
Custom 503 error files not loaded Help!	0	30	September 9, 2024
400 Bad request Help!	13	15032	November 6, 2018

HTTP Security headers for error pages

Related topics