pfSense English Support > webGUI

Add a header to webConfigurator server

(1/4) > >>

I'm getting failures from Qualys security scans of my pfSense boxes for missing this header in the connection to the webConfigurator

HTTP Security Header Not Detected

X-XSS-Protection HTTP Header missing on port 443.

They want this in the output of the server connection.

X-XSS-Protection "1; mode=block"

I made the change to the /etc/inc/ file so it was included.

Is there a way to make this change permanent or will that be something pfSense will have to include in their updates?



You got it backwards.
The GUI should be visible from LAN only - as it has been setup when you installed. Not from WAN. The GUI should never never be exposed on WAN, it isn't build for that.
If you need to access the GUI from the WAN side, use the VPN facilities build into pfSense. is a tool to test public web sites. The GUI is everything but a public web site.

While I agree completely the web gui should not be exposed to the public, and really should be limited to admin access from a secure network anyway.

Why would you not follow current practice for specific headers.

There are many headers that are recommend to be set.. Along with the X-XSS-Protection I don't see either


set as well.

I am not too worried about it since you can only access my gui from my secure network anyway.. From my trusted machine - but again why not set recommended security headers?

You can view the headers easy with simple curl to your pfsense gui from your secure lan side - no reason to expose it to the public for some test site to hit.


--- Quote from: johnpoz on February 16, 2018, 05:39:13 am ---Content-Security-Policy

--- End quote ---

There's a ticket open for this one:

Not sure about the others. Probably due for a review in general, when that ticket gets addressed. Might drop a comment on there with the others.

Thanks Jimp Will take a look and add comment as appropriate


[0] Message Index

[#] Next page

Go to full version