Forum Discussion
Greg_Donohoe_25
Nimbostratus
NimbostratusHTTP header insert
I am trying to insert the HTTP header "X-Frame-Options: SAMEORIGIN" in order to mitigate a security vunerability. Can anyone share the correct syntax for this please?
Andy_McGrathCumulonimbus
For all HTTP responses simple add to HTTP profile under 'Request Header Insert' value of 'X-Frame-Options: SAMEORIGIN'
If you need to add to select HTTP responses you will need an iRule to identify which responses you wish to add the HTTP header into.
Stanislas_Piro2try this:
when HTTP_REQUEST { if { !([HTTP::header exists X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } elseif {!([HTTP::header Origin] equals "SAMEORIGIN") } { HTTP::header replace "X-Frame-Options" "SAMEORIGIN" } }
Greg_Donohoe_25Thank you for the response Andrew. I was looking for the irule syntax as I may need more than one response in header.
Muhammad_64435Just curious to know why we need to check if header doesn't exist before inserting one ?
If we don't check and keep inserting, it will keep overwriting the previous one, isn't it ?
I appreciate for any insight.
-mS
- Greg_Donohoe_25
Now I have all of the headers I need. oX-Frame-Options: SAMEORIGIN oX-XSS-Protection: 1; mode=block oX-Content-Type-Options: 'nosniff'
I am trying to amend your rule into the correct syntax but it does not work.
- Stanislas_Piro2
when HTTP_REQUEST { if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" } if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" } } - Greg_Donohoe_25
That irule worked perfectly. Thanks for all your help.