Forum Discussion

Nimbostratus

Aug 25, 2020

HTML5 Cross-Domain Reuest Enforcement not working as expected (13.1.1)

I am confused by the HTML5 Cross-Domain Reuest Enforcement. We have tested all of the modes quite extensively and analyzed the bahaviour. Mode "Replace CORS headers" actually seems to remove th...

ASM Advanced WAF

security

Cirrus

Sep 02, 2020

First off, are you updating the policy and then applying the policy?

I have implemented this in my environment with success. Enforce works works with a list of explicit origins and replaces all CORS headers (you cannot remove/replace/manipulate/modify specific headers). Replace option allows you to remove/replace/manipulate/modify specific headers based on your configuration.

"""

Replace CORS headers (HTTP URLs only): Replace the CORS header in the response with another header specified on the tab, including allowed origins, allowed methods, allowed headers, and so on. The browser enforces the policy.

Enforce on ASM: Allow cross-origin resource sharing as configured. CORS requests are allowed from the domains specified as allowed origins. ASM enforces the policy.

"""

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/17.html

"""

Disabled: The system does not enforce CORS headers.

Remove all CORS headers: The system removes all CORS headers.

Replace CORS headers: The system replaces CORS headers.

Enforce on ASM: The system removes all CORS headers and replaces them.

"""

"Help" tab in BIG-IP system

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)