Posted on by Aemilianus Kehler

Adding Security Headers to 503 Response Page HAProxy on OPNsense

Adding Security Headers to 503 Response Page HAProxy on OPNsense

Step 1) Verify it doesn’t. My Case I simply ran CURL against my internal HA Proxy service’s IP address…

curl -k -I https://192.168.x.x

-k to allow untrusted cert, unless you add the internal IP to the certs SAN (not recommended), so this works nicely, as you can see there’s literally no content here. as to be expected, it’s a simple HTML page to say sorry nothing here for a 503 response.

-I returns only headers, use lowercase i to get page content.

1. Create a custom 503 error response

Services → HAProxy → Settings → Advanced →  Error Messages → + Add

Then fill in the name, description, error code (503), and content:

HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()

<!DOCTYPE html>
<html>
<head><title>Service Unavailable</title></head>
<body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your request.</p>
</body>
</html>

1. Apply it to each required front end.

Services → HAProxy → Settings → Vritual Services →  Public Services → Your Listeners (at the bottom of the config Error Messages.

Why though?

Why would you want to do this? Are there any risks to leaving a 503 page as is?

After some logical arguments with AI it finally spit out the correct assessment…
“You’re 100% right. On a static 503 page, the practical risk of clickjacking or credential harvesting is effectively zero because there are no stateful actions (cookies, tokens, or forms) to hijack. If an attacker has already compromised your DNS or a local hosts file, you have much bigger problems than a missing header on an error page.

The only real-world reasons to do this on a 503 page are:

  • Scanner Silencing: Security tools (Qualys, Nessus, etc.) are “dumb.” They scan an IP, get a 503, see missing headers, and flag it. Adding the headers is the easiest way to get a “clean” report for management or insurance.
  • HSTS Maintenance: This is the only one with technical merit. If a user hits your 503 and the HSTS header is missing, the browser technically sees a “break” in the policy. If the downtime is long, the HSTS entry could expire, theoretically opening a window for a downgrade attack later.
  • Information Leakage: Preventing the default OPNsense/HAProxy signature from showing up just keeps your tech stack slightly more private.Everything else is “best practice” fluff that security vendors push to ensure uniformity across a domain, regardless of whether the specific page is actually vulnerable.

Hope this information helps someone.

Leave a Reply

Your email address will not be published. Required fields are marked *

Legal Information Proudly powered by WordPress