For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

teoiovine's avatar
teoiovine
Icon for Cirrus rankCirrus
Dec 27, 2016

APM iRule manipulating CSP headers

Hello all!

We are trying to improve the security of our APM application, especially the HTTP headers - CSP, HSTS, X-Type, etc.

Though we implemented an iRule on a normal virtual server and it changed the headers correctly, when trying to add it to an APM virtual server either it doesn't do anything or it breaks. We added it normally to the vs, we tried adding the ACCESS::restrict_irule_events disable statement but it won't do anything, and last we tried adding a virtual server which only hosts the iRule and redirects to the apm virtual server (virtual "vs_name").

While i'm asking for some technical guidance, it would also be useful to know if this is even necesary for an APM portal. It hosts some applications and network access.

Here's the iRule:

when RULE_INIT {
    set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
    set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
    set static::max_age 15552000
}
when HTTP_REQUEST {
    log local0. "log request"
    HTTP::respond 301 Location "http://[HTTP::host][HTTP::uri]"
    if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
    if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
    if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}
when HTTP_RESPONSE {
    log local0. "Log response"
    HSTS
    HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
    HPKP
    HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains"
    X-XSS-Protection
    HTTP::header insert X-XSS-Protection "1; mode=block"
    X-Frame-Options
    HTTP::header insert X-Frame-Options "DENY"
    X-Content-Type-Options
    HTTP::header insert X-Content-Type-Options "nosniff"
    CSP
    HTTP::header insert Content-Security-Policy "default-src 'self'"
    CSP for IE
    HTTP::header insert X-Content-Security-Policy "default-src 'self'"
}

Thank you for your time!

application delivery
BIG-IP Access Policy Manager (APM)
iRules
security

2 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 27, 2016

    Not really following what putting those in HTTP_REQUEST will do for you. X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options are headers that manipulate browser behavior.

    In sort of a basic way, these are the events you're probably interested in:

    Request:
Client ------[HTTP_REQUEST]------>  APM -------[HTTP_REQUEST_RELEASE]------> Backend

Response:
Client <-----[HTTP_RESPONSE_RELEASE] ----- APM <--------[HTTP_RESPONSE]---- Backend

    So, probably you'd be interested more in HTTP_RESPONSE_RELEASE because you're trying to mess with headers that are meant for the client's user-agent.

    Specifically though, APM already inserts "X-Frame-Options" on its pages (logon pages, webtop, etc) so you don't need to add this by disabling ACCESS::restrict_irule_events. For those other things, you can probably just put them in HTTP_RESPONSE_RELEASE.

    You may find the "HTTP::header replace" useful, it inserts if not exists, but replaces if it does exist.

  • Antonio_Bitto_1's avatar
    Antonio_Bitto_1
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2017

    Thanks Lucas, I've been struggling for weeks trying to intercept and modify the Response without using an external "landing" virtual server! With that HTTP_RESPONSE_RELEASE and your events flow diagram you made my day! :)