Forum Discussion

Altostratus

Aug 30, 2015

Clickjacking protection using X-FRAME-OPTIONS: ALLOW-FROM URI

Hello Folks, Can anyone help by sharing a snippet of iRule by inserting XFRAME-OPTIONS:ALLOW-FROM (single / multiple URI)? The requirement is to allow certain Frames from different applicat...

Nimbostratus

Dec 10, 2015

Hi Darshan,

Note that in X-Frame-Options header Allow-From token does not support wildcards or listing of multiple origins and it is not supported by couple of browsers as well, you can use the below irule where you can mention the URL from where you want to make it accessible

 when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "ALLOW-FROM http://www.mysite.com"
}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

Community Articles

application delivery

CIS

container ingress services

devops

Gateway Fabric

F5 Architecture Track Sessions - AppWorld 2026

DevCentral News

announcement

Appworld2026

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Clickjacking protection using X-FRAME-OPTIONS: ALLOW-FROM URI

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

irule execution error

F5 AWAF/ASM learning only from Trusted traffic?

OWA File Upload URIs for WAF Bypass

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Removing x-frame-options header from response when using APM

BYOEDR, Undetectable backdoor, WhoFi, Cyberattack to airline, and Clickjacking vulnerability

Set x-frames-options header values depending on URI

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS