Versions Compared

Old Version 4

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 5

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Tip

This topic is only relevant if you're relying on HTTP request headers to pass attribute information from the SP to your applications. The default is to rely on Server Variables that are internal to the web server and are not subject to client influence.

Table of Contents


Background

The SP includes a feature called "spoof checking". The purpose of this feature is to actively scan/police the HTTP headers in each client request and attempt to detect if any of them map to a header variable under the SP's "control". The SP maintains a list of all the possible header names that it might be expected to create in response to a user session, including all of the mappings based on attributes. If the client attempts to supply its own value for one of these headers, this feature tries to detect that and block the request with an error message (and log the attempt).

...

The spoofKey value is intended to be a long, random string of alphanumerics that is hidden from clients. The SP uses this value to distinguish between requests from a client and requests to which the SP has already added headers. It explicitly creates an extra header containing this key, and the theory is that if the client can't guess it, it can't fool the SP into bypassing detection. The SP assumes if the header and value is present, the request has already passed the detection step.

Note
title

Disable dumping arbirary/all request headers

For obvious reasons, you MUST prevent the client from accessing any server-side scripts that might expose the spoofKey value through a dump of arbitrary (or all) request headers.

Scripts like this are often used in debugging problems by "dumping" the request variables available to applications. Note that blocking or removing such scripts is a standard server-hardening measure that should not be unusual or unfamiliar.

Platform Notes

IIS

title
Note

Update to the latest IIS module

The modern IIS module supports Server Variables and should be used in preference to the old "ISAPI" plugin.

The (old) ISAPI filter API does not support the creation of server variables, so request headers are used out of necessity as a portable communication channel to applications. As a result, the detection feature should be enabled in all cases. To facilitate this, the ISAPI filter module will automatically generate a random spoofKey value if one is not set for it, and if it can't do so it will refuse to run.

...