For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

drodyc's avatar
drodyc
Icon for Nimbostratus rankNimbostratus
May 18, 2021

iFrames iRule

The distant end customer is requesting for iFrame headers for their application via HTTPS. How would I activate iFrame headers with iRules?   Could I have one written out for a specific URL and o...
devops
iframes
irule
iRules
LTM
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
May 19, 2021

I agree with Dario that this seems a job for the Dev Team. F5 has options to modify the content in the server response with Stream profile or HTTP::payload replace but for such a thing it will be complicated:

 

 

https://support.f5.com/csp/article/K39394712

 

https://support.f5.com/csp/article/K7027

 

https://clouddocs.f5.com/api/irules/STREAM__expression.html

 

 

 

 

 

https://clouddocs.f5.com/api/irules/HTTP__payload.html

 

https://support.f5.com/csp/article/K07535385

 

  • drodyc's avatar
    drodyc
    Icon for Nimbostratus rankNimbostratus
    May 27, 2021

    It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

     

    1. when HTTP_RESPONSE {
    2. #X-Frame-Options
    3. HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
    4. }

     

    Is it recommended to use this iRule below?

    1. when HTTP_RESPONSE {
    2. HTTP::header replace X-Frame-Options "SAMEORIGIN"
    3. }

     

    Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!