Forum Discussion

Nimbostratus

Oct 11, 2018

Clickjacking iRule assist

I have the below requirement I need to insert X-FRAME-OPTIONS "DENY" only if the requests don't originate from my domain *.123.com but I need to insert it from any other domain. How can i accomplish...

Cumulonimbus

Oct 12, 2018

Hi,

can you try this (I checked rfc but it's not clear...):

if { not([HTTP::header exists "X-Frame-Options"])}{
    HTTP::header insert X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
} else {
    HTTP::header replace X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
}

Just be carefull, Chrome not support Allow-From in X-Frame-Options header since a specific version, it ignores this header and blocks you in any case.

Additional point take a looke to "Content-Security-Policy" if it can help you.

keep me in touch,

regards,

Forum Discussion

Clickjacking iRule assist

Recent Discussions

Reliable resources for identifying IP addresses

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Related Content

iRule assistance for subfolder redirect

iRule assistance based on URI and source address

iRule assistance

iRule assistance

clickjacking