Forum Discussion
MSK_222682
Nimbostratus
NimbostratusConfiguring X-Frame-Options Allow-From
Hi All,
I have been asked by the business to configure X-Frame-Options Allow-From in the response header.
Quick search gave me the below iRule,
when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “SAMEORIGIN)”}
However, the value of the XFO is to be Allow-From.
Can anyone please look into this for an appropriate iRule.
Thanks in advance,
MSK
Hannes_Rapp_162Nacreous
It’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).
For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards
If you still want to go for it:
when HTTP_RESPONSE { if { not([HTTP::header exists "X-Frame-Options"])}{ HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com} } else { HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com} } }Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)
Regards,
MSK_222682Hi Hannes, Thanks for the quick response! I agreed with you that it's the developers job to include security elements in their design phase itself rather than later. With regards to the value, penetration results were successfully tested from IE11 & Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP. Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From. Thanks in advance, MSK- Hannes_Rapp_162Amended my initial answer with the iRule
Hannes_RappIt’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).
For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards
If you still want to go for it:
when HTTP_RESPONSE { if { not([HTTP::header exists "X-Frame-Options"])}{ HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com} } else { HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com} } }Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)
Regards,
- MSK_222682Hi Hannes, Thanks for the quick response! I agreed with you that it's the developers job to include security elements in their design phase itself rather than later. With regards to the value, penetration results were successfully tested from IE11 & Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP. Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From. Thanks in advance, MSK
- Hannes_RappAmended my initial answer with the iRule