F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

mkm_322720's avatar
mkm_322720
Icon for Nimbostratus rankNimbostratus
Jun 05, 2017

clickjacking

Can anyone help by sharing an iRule for Clickjacking.

 

I got a solution from my external vulnerability assessment report as below: "Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed."

 

application delivery
BIG-IP

1 Reply

  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Jun 06, 2017

    Hello mkm,

    Depending on the origin of the loaded frame you can use the "SAMEORIGIN" or the "ALLOW-FROM uri" 

     when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

    or this one 

     when HTTP_RESPONSE {
       HTTP::header replace X-Frame-Options "ALLOW-FROM https://mysite.domain.com"
    }