Clickjacking protection with X-Frame options

Question

We have a situation where sites are missing X-Frame Options
How can we return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itselfSecure Cookies&nbsp;
I found the following single line iRule implementation, can you please verify&nbsp;
when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “(DENY || SAMEORIGIN)” }&nbsp;

kevin_stewart · Answer

I'd use a replace:
when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

deepak__m_k_165 · Answer

Hi Kevin ,&nbsp;
How to test once we have implemented the iRule ?&nbsp;
thanks and regards
Deepak MK&nbsp;

jaz_170005 · Answer

Hello Everyone,&nbsp;
That iRule works, however it means that we have to add it to every VS we have (we have tons of those). is there a better solution? 
does F5 has a HF for it? &nbsp;

Forum Discussion

Clickjacking protection with X-Frame options

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Removing x-frame-options header from response when using APM

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

L7 DoS Protection with NGINX App Protect DoS

Beyond REST: Protecting GraphQL

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS