Forum Discussion
NimbostratusContent Security Policy
I have a requirement where i need to implement Content Security Policy to SNI VIP . Could you please suggest how to identify HTTP response header for specific URL ,i tried something link this but it does not seems to be working
when HTTP_RESPONSE { if { [HTTP::header values Location] contains "example" } { HTTP::header insert Content-Security-Policy "..........
Simon_BlakelyEmployee
The "Location" header is only set for 3xx redirects or 201/202 responses.
Unless your Origin Web server (pool member) explicitly sets a header to identify the source, you will need to record the destination host header in HTTP_REQUEST, and then use that to add the Content Security Policy.
Please note: - the following is example code to illustrate the technique and may require modification
when HTTP_REQUEST { set my_host [HTTP::host] } when HTTP_RESPONSE { if { $my_host contains "example.com" } { Check the status to see if it is 200 ... if {[HTTP::status] == 200} { HTTP::header insert Content-Security-Policy ... } } }However, I would suggest doing this with caution - my opinion is that Content Security Policy is an application level setting, and should be managed by the application owner/developer. Applying a blanket CSP to an entire virtual runs the risk of impacting application behaviour in unexpected ways. You may end up building a complex irule to manage CSP options on various site URLs, which can quickly reduce reliability and maintainability.