Forum Discussion

Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous

It’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).

For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards

If you still want to go for it:

when HTTP_RESPONSE {

  if { not([HTTP::header exists "X-Frame-Options"])}{
    HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
  } else {
    HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
  }

}

Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)

Regards,

MSK_222682's avatar
MSK_222682
Icon for Nimbostratus rankNimbostratus
May 18, 2016
Hi Hannes, Thanks for the quick response! I agreed with you that it's the developers job to include security elements in their design phase itself rather than later. With regards to the value, penetration results were successfully tested from IE11 & Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP. Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From. Thanks in advance, MSK