Forum Discussion

Nimbostratus

Oct 11, 2018

Clickjacking iRule assist

I have the below requirement I need to insert X-FRAME-OPTIONS "DENY" only if the requests don't originate from my domain *.123.com but I need to insert it from any other domain. How can i accomplish...

Cumulonimbus

Oct 12, 2018

Hi,

can you try this (I checked rfc but it's not clear...):

if { not([HTTP::header exists "X-Frame-Options"])}{
    HTTP::header insert X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
} else {
    HTTP::header replace X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
}

Just be carefull, Chrome not support Allow-From in X-Frame-Options header since a specific version, it ignores this header and blocks you in any case.

Additional point take a looke to "Content-Security-Policy" if it can help you.

keep me in touch,

regards,

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Clickjacking iRule assist

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

iRule assistance for subfolder redirect

iRule assistance

iRule assistance

clickjacking

iRule assistance

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS