Forum Discussion

Greg_Donohoe_25's avatar
Greg_Donohoe_25
Icon for Nimbostratus rankNimbostratus
Oct 16, 2015

HTTP header insert

I am trying to insert the HTTP header "X-Frame-Options: SAMEORIGIN" in order to mitigate a security vunerability. Can anyone share the correct syntax for this please?

 

  • For all HTTP responses simple add to HTTP profile under 'Request Header Insert' value of 'X-Frame-Options: SAMEORIGIN'

     

    If you need to add to select HTTP responses you will need an iRule to identify which responses you wish to add the HTTP header into.

     

  • try this:

    when HTTP_REQUEST {
        if { !([HTTP::header exists X-Frame-Options"])} {
                HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
        } elseif {!([HTTP::header Origin] equals "SAMEORIGIN") } {
                HTTP::header replace "X-Frame-Options" "SAMEORIGIN"
        }
    }
    
  • Thank you for the response Andrew. I was looking for the irule syntax as I may need more than one response in header.

     

    • Muhammad_64435's avatar
      Muhammad_64435
      Icon for Nimbostratus rankNimbostratus

      Just curious to know why we need to check if header doesn't exist before inserting one ?

       

      If we don't check and keep inserting, it will keep overwriting the previous one, isn't it ?

       

      I appreciate for any insight.

       

      -mS

       

  • Now I have all of the headers I need. oX-Frame-Options: SAMEORIGIN oX-XSS-Protection: 1; mode=block oX-Content-Type-Options: 'nosniff'

     

    I am trying to amend your rule into the correct syntax but it does not work.

     

  • when HTTP_REQUEST {
        if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
        if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
        if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
    }