Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Andreia's avatar
Andreia
Icon for Cirrus rankCirrus
Mar 25, 2024

How to insert a header into a request via iRule?

Hello!   An application from the company I work for is receiving CORS failure because they did not implement the "Access-Control-Allow-Origin" header in the application. I want to insert this head...
devops
security
Kenn's avatar
Kenn
Icon for Nimbostratus rankNimbostratus
Mar 25, 2024

Hi!  The pseudocode looks pretty good, so just need to fill in the specifics.  This is an example we use for some other security-related headers:

when HTTP_RESPONSE priority 500 {
    if { !([HTTP::header exists "Access-Control-Allow-Origin"]) } {
        HTTP::header insert "Access-Control-Allow-Origin" "*.xyz.com"
    }
}

 

The body of the if block will only execute if the statement in the first set of curly braces evaluates to true.

Anything in square brackets will be evaluated and replaced with the returned value.  [HTTP::header exists "Access-Control-Allow-Origin"] will evaluate to true if the header exists, and false if it is missing.  Because the if statement is required to be true for the code to execute, we need to reverse the condition.  !(...) will do this. 

A missing header evaluates to !([false]) == true, and the header will be inserted.  If the header is found, it will evaluate to !([true]) == false, and the header will not be inserted.