Forum Discussion

Moinul_Rony's avatar
Moinul_Rony
Icon for Altostratus rankAltostratus
Aug 27, 2013

Clickjacking protection with X-Frame options

We have a situation where sites are missing X-Frame Options How can we return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itselfSecure Cookies

 

I found the following single line iRule implementation, can you please verify

 

when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “(DENY || SAMEORIGIN)” }

 

  • I'd use a replace:

    when HTTP_RESPONSE {
       HTTP::header replace X-Frame-Options "SAMEORIGIN"
    }
    
  • Hi Kevin ,

     

    How to test once we have implemented the iRule ?

     

    thanks and regards Deepak MK

     

  • Hello Everyone,

     

    That iRule works, however it means that we have to add it to every VS we have (we have tons of those). is there a better solution? does F5 has a HF for it?