Forum Discussion
HTTP header insert
I am trying to insert the HTTP header "X-Frame-Options: SAMEORIGIN" in order to mitigate a security vunerability. Can anyone share the correct syntax for this please?
- Andy_McGrathCumulonimbus
For all HTTP responses simple add to HTTP profile under 'Request Header Insert' value of 'X-Frame-Options: SAMEORIGIN'
If you need to add to select HTTP responses you will need an iRule to identify which responses you wish to add the HTTP header into.
- Stanislas_Piro2Cumulonimbus
try this:
when HTTP_REQUEST { if { !([HTTP::header exists X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } elseif {!([HTTP::header Origin] equals "SAMEORIGIN") } { HTTP::header replace "X-Frame-Options" "SAMEORIGIN" } }
- Greg_Donohoe_25Nimbostratus
Thank you for the response Andrew. I was looking for the irule syntax as I may need more than one response in header.
- Muhammad_64435Nimbostratus
Just curious to know why we need to check if header doesn't exist before inserting one ?
If we don't check and keep inserting, it will keep overwriting the previous one, isn't it ?
I appreciate for any insight.
-mS
- Greg_Donohoe_25Nimbostratus
Now I have all of the headers I need. oX-Frame-Options: SAMEORIGIN oX-XSS-Protection: 1; mode=block oX-Content-Type-Options: 'nosniff'
I am trying to amend your rule into the correct syntax but it does not work.
- Stanislas_Piro2Cumulonimbus
when HTTP_REQUEST { if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" } if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" } }
- Greg_Donohoe_25Nimbostratus
That irule worked perfectly. Thanks for all your help.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com