Forum Discussion
bradley2100
Nimbostratus
NimbostratusConfiguring LTM policies with request and response conditions
BIG IP VERSION 13.1.0.6
Afternoon.
The following LTM policy exists to insert security headers into responses when missing. The LTM policy is attached to a VS which performs virtual hosting using another LTM policy to switch the back-end pools depending on incoming header.
A new requirement to remove the X-Content-Type-Options nosniff header for specific sites hosted on this virtual server exists and the LTM policy was adjusted as below to include a request condition against the host isnot header, this however has resulted in unexpected behaviour where-by the header is no longer inserted regardless of whatever site is being requested.
Any ideas?
Code
ltm policy pol-tp-http-header-apply-security-controls-inc-exclusions {
description "Edit headers on response to enable security controls"
last-modified 2019-01-10:14:09:44
requires { http }
rules {
rl-tp-header-insert-x-content-type-options {
actions {
0 {
http-header
response
insert
name X-Content-Type-Options
value nosniff
}
}
conditions {
0 {
http-host
host
not
values { site1.example.com site2.example.com }
}
1 {
http-header
response
name X-Content-Type-Options
not
values { nosniff }
}
}
description "Insert the x-content-type-options header set to no sniff"
ordinal 2
}
Dave_McCauley_3Cirrostratus
Try using an iRule instead. Policies are fine when they work, but there's more people that understand iRules than ltm policies and definitely a lot more in use so you'll end up hitting less bugs.