How to check the presence of Response Security Headers in PAN-OS
9037
Created On 01/04/21 16:36 PM - Last Modified 03/08/23 22:16 PM
Objective
How to manually check presence of a security header used in PAN-OS in case of suspected Vulnerability Scanning false reading or pretesting reports that states otherwise and where automated or commercial tools are not readily available to verify.
Environment
- PAN-OS
Procedure
Note: This Procedure is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.
Option 1 : Using Curl from a Linux Based System
From a Linux based system, you may run the following commands to verify the presence of headers for a quick check.
$curl -k --head https://Firewall_IP/ or $curl -k --head https://<FQDN>/
$curl -k --head https://Firewall_IP/php/login.php or $curl -k --head https://<FQDN>/php/login.php
Figure 1 - a picture of an output of the command showing the headers available.
Option 2: Using Browser Developer Tools
As an example in chrome, once you open Developer Tools ( [F12] or [Ctrl]+[Shift]+I ) and you could verify presence of header in question by visiting the firewall login page or global protect portal.
Figure 2 - a sample picture of chrome developer tools showing security headers
Option 3: Using online sites that help check for public facing
One can also leverage online tools to verify presence of security headers by searching for FQDN or public IP in a preferred site.
As an example one might use the link below : https://www.serpworx.com/check-security-headers/
Additional Information
https://owasp.org/www-project-secure-headers/