Clickjacking iRule assist

Question

I have the below requirement I need to insert 
X-FRAME-OPTIONS "DENY" only if the requests don't originate from my domain *.123.com but I need to insert it from any other domain. How can i accomplish this using iRules?
X-FRAME-OPTIONS "ALLOW FROM" does not allow multiple domains or sub domains. That is why I am seeking options.
I am sure the below will not work...right?
When HTTP_RESPONSE {
HTTP::header insert "X-FRAME-OPTIONS" "ALLOW-FROM http://*.123.com"
}

youssef1 · Answer

Hi,
can you try this (I checked rfc but it's not clear...):
if { not([HTTP::header exists "X-Frame-Options"])}{
    HTTP::header insert X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
} else {
    HTTP::header replace X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
}

Just be carefull, Chrome not support Allow-From in X-Frame-Options header since a specific version, it ignores this header and blocks you in any case. 
Additional point take a looke to "Content-Security-Policy" if it can help you.
keep me in touch,
regards,

Forum Discussion

Clickjacking iRule assist

Recent Discussions

Creating Policy using Terraform

Alert Mail when virtual server down trubleshooting

How to disable RC4 Cipher on SSL

Big-IQ + LetsEncrypt wildcard

DEVICE-0202 Error while adding rSeries as a provider in CM

Related Content

iRule assistance for subfolder redirect

iRule assistance

iRule assistance

clickjacking

iRule assistance

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS