Forum Discussion

Cirrus

Dec 27, 2016

APM iRule manipulating CSP headers

Hello all! We are trying to improve the security of our APM application, especially the HTTP headers - CSP, HSTS, X-Type, etc. Though we implemented an iRule on a normal virtual server and it cha...

application delivery

BIG-IP Access Policy Manager (APM)

iRules

security

Lucas_Thompson_

Historic F5 Account

Dec 27, 2016

Not really following what putting those in HTTP_REQUEST will do for you. X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options are headers that manipulate browser behavior.

In sort of a basic way, these are the events you're probably interested in:

Request:
Client ------[HTTP_REQUEST]------>  APM -------[HTTP_REQUEST_RELEASE]------> Backend

Response:
Client <-----[HTTP_RESPONSE_RELEASE] ----- APM <--------[HTTP_RESPONSE]---- Backend

So, probably you'd be interested more in HTTP_RESPONSE_RELEASE because you're trying to mess with headers that are meant for the client's user-agent.

Specifically though, APM already inserts "X-Frame-Options" on its pages (logon pages, webtop, etc) so you don't need to add this by disabling ACCESS::restrict_irule_events. For those other things, you can probably just put them in HTTP_RESPONSE_RELEASE.

You may find the "HTTP::header replace" useful, it inserts if not exists, but replaces if it does exist.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)