Clickjacking protection with X-Frame options

Question

We have a situation where sites are missing X-Frame Options
How can we return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itselfSecure Cookies&nbsp;
I found the following single line iRule implementation, can you please verify&nbsp;
when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “(DENY || SAMEORIGIN)” }&nbsp;

kevin_stewart · Answer

I'd use a replace:
when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

deepak__m_k_165 · Answer

Hi Kevin ,&nbsp;
How to test once we have implemented the iRule ?&nbsp;
thanks and regards
Deepak MK&nbsp;

jaz_170005 · Answer

Hello Everyone,&nbsp;
That iRule works, however it means that we have to add it to every VS we have (we have tons of those). is there a better solution? 
does F5 has a HF for it? &nbsp;

Forum Discussion

Clickjacking protection with X-Frame options

Recent Discussions

APM with EntraID as idP / request signed

Creating Policy using Terraform

Alert Mail when virtual server down trubleshooting

How to disable RC4 Cipher on SSL

Big-IQ + LetsEncrypt wildcard

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

Removing x-frame-options header from response when using APM

L7 DoS Protection with NGINX App Protect DoS

Beyond REST: Protecting GraphQL

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS