Forum Discussion
Alan_Johnson_30
Nimbostratus
NimbostratusHTTP Security Headers - LTM Policies
Hi folks,
I'm trying to create some LTM Policies for the following:
•X-XSS-Protection •X-Content-Type-Options •Content-Security-Policy •Strict-Transport-Security
I already have the following working iRules, but would like to use Policies instead to limit impact on CPU:
X-XSS-Protection
when HTTP_RESPONSE {
if { !([ HTTP::header exists "X-XSS-Protection" ])} {
HTTP::header insert "X-XSS-Protection" "1; mode=block"
}
}
X-Content-Type-Options
when HTTP_RESPONSE {
if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}
Content-Security-Policy
when HTTP_RESPONSE {
if { !([ HTTP::header exists "content-security-policy " ])} { HTTP::header insert "content-security-policy" "default-src 'self';" } }
Strict-Transport-Security
when HTTP_RESPONSE {
if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400" }
}
...and here's what I've come up with so far for LTM Policy versions. Full disclosure, I'm a total novice with policies. Am I even close?
ltm policy X-XSS-Protection {
last-modified 2017-11-28:13:37:23
requires { http }
rules {
X-XSS-Protection {
actions {
0 {
http-header
response
insert
name X-XSS-Protection
value "1; mode=block"
}
}
conditions {
0 {
http-header
response
name X-XSS-Protection
contains
values { X-XSS-Protection }
}
}
}
}
status published
strategy first-match
}
ltm policy X-Content-Type-Options {
last-modified 2017-11-28:13:37:19
requires { http }
rules {
X-Content-Type-Options {
actions {
0 {
http-header
response
insert
name X-Content-Type-Options
value "'nosniff'"
}
}
conditions {
0 {
http-header
response
name X-Content-Type-Options
contains
values { X-Content-Type-Options }
}
}
}
}
status published
strategy first-match
}
ltm policy content-security-policy {
last-modified 2017-11-28:13:37:25
requires { http }
rules {
content-security-policy {
actions {
0 {
http-header
response
insert
name content-security-policy
value "default-src 'self';"
}
}
conditions {
0 {
http-header
response
name content-security-policy
contains
values { content-security-policy }
}
}
}
}
status published
strategy first-match
}
ltm policy Strict-Transport-Security {
last-modified 2017-11-28:13:37:15
requires { http }
rules {
Strict-Transport-Security {
actions {
0 {
http-header
response
insert
name Strict-Transport-Security
value max-age=16070400
}
}
conditions {
0 {
http-header
response
name Strict-Transport-Security
contains
values { Strict-Transport-Security }
}
}
}
}
status published
strategy first-match
}
Paul_MadiganQuestion: We're running 13.1. What if we have an Existing Policy...is this something that can be added to the existing? (I didn't see where.) ....or would we create a second policy and apply (merge?) both policies? (If that is even possible.)
You can have multiple local traffic policies on a single virtual server. There's no need to worry about order (as is sometimes the case with multiple iRules) due to the way the policies are "compiled" by the policy engine. You may be able to add the new rules to an existing policy but that depends entirely on what the existing policy does. I tend to favor keeping functionality separate and distinct, but that's just me.
PMad_306920Question: We're running 13.1. What if we have an Existing Policy...is this something that can be added to the existing? (I didn't see where.) ....or would we create a second policy and apply (merge?) both policies? (If that is even possible.)
You can have multiple local traffic policies on a single virtual server. There's no need to worry about order (as is sometimes the case with multiple iRules) due to the way the policies are "compiled" by the policy engine. You may be able to add the new rules to an existing policy but that depends entirely on what the existing policy does. I tend to favor keeping functionality separate and distinct, but that's just me.
- WAF_Engineering
We wish to do this as well. In our example we wish to allow from multiple domains such as:
A.com
B.com
C.com
Are these comma separate values? Semi-colon separated values? spaces inbetween or not? After implementing the change (no errors in web-ui), and generating test traffic, the x-frame-options header was NOT present in the response and we're not sure why.
