For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

StephenGonsalv1's avatar
StephenGonsalv1
Icon for Nimbostratus rankNimbostratus
Sep 12, 2017

I rule creation for http headers using Data groups

Hi All

Need your help to create an irule to permit the following http headers and drop all(x-) others. Need to work this through by creating a data group for the below headers so that we don't have to disturb the i rule every time. Your speedy response would be appreciated. X-XSS-Protection X-Content-Type-Options x-frame-options

=====================================================

when HTTP_RESPONSE { Remove all instances of the Server header HTTP::header remove Server

Remove all headers starting with x- (i.e. X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version)

foreach header_name [HTTP::header names] {

if {[string match -nocase x-* $header_name]}{ 
     This header needs to be allowed to mitigate clickjacking  
    if {[string match -nocase x-frame-options $header_name]}{   
        continue;
    }

     HTTP::header remove $header_name 
  }

} }

application delivery
devops
iRules

1 Reply

  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Oct 09, 2017

    Not tested, but this should be close.

    when HTTP_REQUEST {
    foreach hn [HTTP::header names] {
        if { $hn starts_with "x-" or $hn starts_with "X-" } {
            if { ![class match $hn equals my-data-group] } {
                HTTP::header remove $hn
            }
        }
    }
}