Clickjacking protection using X-FRAME-OPTIONS: ALLOW-FROM URI

Question

Hello Folks,&nbsp;
Can anyone help by sharing a snippet of iRule by inserting XFRAME-OPTIONS:ALLOW-FROM (single / multiple URI)?&nbsp;
The requirement is to allow certain Frames from different applications hosted within the same environment. Since X-FRAME-OPIONS:Allow-from supports only 1 URI, can we create any iRule to embed multiple URI for "Allow-from" header?&nbsp;
Perhaps using String based Data group, and call that Data group within an iRule, and verify if the URI is part of the Data group? &nbsp;
Thank you mates!
Cheers!&nbsp;

zeeshan_ahmad_1 · Answer

Hi Darshan,
Note that in X-Frame-Options header Allow-From token does not support wildcards or listing of multiple origins and it is not supported by couple of browsers as well, you can use the below irule where you can mention the URL from where you want to make it accessible
 when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "ALLOW-FROM http://www.mysite.com"
}

Forum Discussion

Clickjacking protection using X-FRAME-OPTIONS: ALLOW-FROM URI

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 AWAF/ASM learning only from Trusted traffic?

OWA File Upload URIs for WAF Bypass

irule execution error

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Removing x-frame-options header from response when using APM

BYOEDR, Undetectable backdoor, WhoFi, Cyberattack to airline, and Clickjacking vulnerability

Set x-frames-options header values depending on URI

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS