For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RKC_260787's avatar
RKC_260787
Icon for Nimbostratus rankNimbostratus
Oct 15, 2017

Content Security Policy

I have a requirement where i need to implement Content Security Policy to SNI VIP . Could you please suggest how to identify HTTP response header for specific URL ,i tried something link this but it ...
application delivery
iRules
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Oct 15, 2017

The "Location" header is only set for 3xx redirects or 201/202 responses.

 

Unless your Origin Web server (pool member) explicitly sets a header to identify the source, you will need to record the destination host header in HTTP_REQUEST, and then use that to add the Content Security Policy.

 

Please note: - the following is example code to illustrate the technique and may require modification

 

when HTTP_REQUEST {
  set my_host [HTTP::host]
}
when HTTP_RESPONSE {
  if { $my_host contains "example.com" } {
     Check the status to see if it is 200 ...
    if {[HTTP::status] == 200} {
      HTTP::header insert Content-Security-Policy ...
    }
  }
}

However, I would suggest doing this with caution - my opinion is that Content Security Policy is an application level setting, and should be managed by the application owner/developer. Applying a blanket CSP to an entire virtual runs the risk of impacting application behaviour in unexpected ways. You may end up building a complex irule to manage CSP options on various site URLs, which can quickly reduce reliability and maintainability.