ASM: Need to add HTTP security headers for response and blocking pages

Question

Hi there,We are needing to turn on security headers for ASM response and blocking pages.&nbsp; There is a KB (K25232031 ) that mentions it being enabled by default for version 16.0.0.We are running a prior version.&nbsp; Does anyone know if this is possible on earlier versions?

enes_afsin_al · Answer

&nbsp;
Hi,
You can add response headers from the "Response and Blocking Pages" settings.
Security &gt; Application Security &gt; Security Policies &gt; Policies List &gt; waf_policy_name &gt; Response and Blocking Pages &gt; Custom Response

juergen_mang · Answer

K25232031&nbsp; is interesting, thanks for the link.
About X-XSS-Protection: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-ProtectionAbout X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Adding a simple Content-Security-Policy will be the better way. I do not tested it, but this shoud suffice:
&nbsp;
Content-Security-Policy: default-src 'self'; frame-ancestors 'self'
&nbsp;
P.S.: I always change the Response Code to 403
&nbsp;
&nbsp;

Forum Discussion

ASM: Need to add HTTP security headers for response and blocking pages

2 Replies

Jeff - May 2026 Featured F5er

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

certitcate error

about create wide ip,

Dynamic import of data groups

Changes to DO and AS3 GitHub - no longer monitored

Disk capacity on F5 rSeries

Related Content

Quarterly Security Notification October 2025

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

Logging/Blocking possible prompt injection

Response and blocking page

In search of a security incident response system for the masses

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS