Forum Discussion
Domai_23823
Nimbostratus
NimbostratusClickjacking iRule assist
I have the below requirement I need to insert
X-FRAME-OPTIONS "DENY" only if the requests don't originate from my domain *.123.com but I need to insert it from any other domain. How can i accomplish...
youssef1
Cumulonimbus
CumulonimbusHi,
can you try this (I checked rfc but it's not clear...):
if { not([HTTP::header exists "X-Frame-Options"])}{
HTTP::header insert X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
} else {
HTTP::header replace X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
}
Just be carefull, Chrome not support Allow-From in X-Frame-Options header since a specific version, it ignores this header and blocks you in any case.
Additional point take a looke to "Content-Security-Policy" if it can help you.
keep me in touch,
regards,
