Forum Discussion

visual2008_3086

Nimbostratus

Oct 17, 2017

HTTP header X-XSS-Protection, X-Content-Type-Options issue

I am trying to insert the HTTP header X-XSS-Protection, X-Content-Type-Options in order to mitigate a security vunerability. I have found an irule solution, but when I implemented the solution, a cod...

Nacreous

Oct 17, 2017

You had an incorrect quotation mark at the end of your header type in the IF statement. This was preventing the close braces from working correctly.

I've corrected the code:

when HTTP_RESPONSE { 
    if {!([HTTP::header exists "X-Content-Type-Options" ])} { 
        HTTP::header insert "X-Content-Type-Options" "'nosniff'"
    }

    if {!([ HTTP::header exists "X-XSS-Protection"])} { 
        HTTP::header insert "X-XSS-Protection" "1; mode=block" 
    } 
}

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

HTTP header X-XSS-Protection, X-Content-Type-Options issue

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

Cannot ping external interface

Dump all host running services during APM logon

NGINX event logs send to F5 Data Collection Device and analysis from BIG-IQ it possible or not?

Failed to execute iptable cmd: ," CMD="iptables -A SSH_ALLOW_RULES error

HA Failover between two Datacenters

Related Content

x-content-type-options

Issues with X-XSS Protection HTTP Header

Inserting X-frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security

Security Headers Insertion

(HTTP) Redirection via Arbitrary Host Header

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS