Mike Elissen

Why can I not see any Akamai Pragma headers?

Blog Post created by Mike Elissen Champion on Sep 8, 2017

Why can I not see any Akamai Pragma headers?

Akamai has the ability to show Akamai Pragma header information. If set-up correctly in a plug-in like Modify Headers, there might be a situation where it is not shown. If you are using a Security product like the Web Application Firewall, there is a rule in there that can remove the Pragma data from leaking.

 

699989 Akamai-X debug Pragma header detected and removed

The Akamai Pragma can leak of information about WAF rules triggered, cacheability, internal variables for metadata mitigation, and state. Attackers can use this information to gain intelligence about security controls at the edge and develop evasions or more effective attacks. Mitigation: If a pragma headers has an akamai-x value this rule will strip all pragma headers in request and either deny or alert based on UI settings.

 

 

While this rule prevents that header information is not shown to anyone who is sending the Pragma headers, this might be frustrating when troubleshooting.

 

You are able to add a rule exclusion by clicking on Edit Rule Conditions in a new version of your WAF config. Select this rule 699989 and click on the gearbox for Edit Rule Conditions. Then select IP Address and add the IP-address/ranges that you are using yourself.

 

Outcomes