Forum Discussion
APM irule to add security headers on http_response
I have been trying to add an irule to shore up security on a virtual server. Qualys is reporting vulnerabilities. In this instance, the user hits a F5 login page for manual authentication (user/password). My irules are only being hit on request, not response. Rules are currently:
when HTTP_RESPONSE {
HTTP::header replace Cache-Control "no-cache,no-store,must-revalidate"
HTTP::header insert Pragma "no-cache"
}
and
when HTTP_RESPONSE { if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([ HTTP::header exists "X-XSS-Protection" ])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" } if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" } if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains" }}
Any help would be appreciated.
1 Reply
iaineNacreous
Hi
Are you not seeing the headers in the APM pages...? If so, you need to expose these to the HTTP irule events using this
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }https://devcentral.f5.com/wiki/iRules.ACCESS__restrict_irule_events.ashx?NoRedirect=1
