Forum Discussion
Configuring X-Frame-Options Allow-From
It’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).
For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards
If you still want to go for it:
when HTTP_RESPONSE {
if { not([HTTP::header exists "X-Frame-Options"])}{
HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
} else {
HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
}
}
Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)
Regards,
- MSK_222682May 18, 2016NimbostratusHi Hannes, Thanks for the quick response! I agreed with you that it's the developers job to include security elements in their design phase itself rather than later. With regards to the value, penetration results were successfully tested from IE11 & Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP. Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From. Thanks in advance, MSK
- Hannes_RappMay 18, 2016NimbostratusAmended my initial answer with the iRule
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com