This software helps protecting against the most common types of web attacks, such as reflection XSS and SQL injection. It acts as a middleware layer between a web server and the user's browser to filter malicious content present in the traffic between both parts. This program is not supposed to replace good programming practices, but rather as an additional security layer for those websites which are still vulnerable to the aforementioned attacks.
Squid cache is required to run this software: more information can be found here.
- Install Python
Make sure Python 3 is installed on your system.
# Windows
py -3 --version
# Linux
python3 --version
- Run installation script
# Windows (cmd)
install.cmd
# Windows (Powershell)
.\install.ps1
# Linux
./install.sh
- Start the server
# Windows (cmd)
http_sanitizer_server.cmd
# Windows (Powershell)
.\http_sanitizer_server.ps1
# Linux
./http_sanitizer_server.sh
⚠ This software only supports Python 3.
Configure Squid cache to support the two ICAP services offered by this software. The server is running on port 13440 by default. The following sample configuration is provided.
icap_enable on
icap_persistent_connections off
icap_log /var/log/squid/icap.log
icap_service xss_auditor respmod_precache bypass=off icap://127.0.0.1:13440/xss_auditor
adaptation_access xss_auditor allow all
icap_service body_sanitizer reqmod_precache bypass=off icap://127.0.0.1:13440/body_sanitizer
adaptation_access body_sanitizer allow all
⚠ Restarting Squid cache may be needed after changing the configuration.
⚠ Make sure HTTP Sanitizer Server is already running before restarting Squid, or the connection may sometimes fail.
Of course Squid cache and HTTP Sanitizer Server can be run on two different hosts by providing a different IP/domain into the squid configuration file, but since ICAP does not provide support for traffic encryption, the communication has to be secured by external means.
For more information the official documentation can be found here.
