iFrames iRule

Question

The distant end customer is requesting for iFrame headers for their application via HTTPS. How would I activate iFrame headers with iRules?

Could I have one written out for a specific URL and one that is a generic iFrame header that will allow iFrame if requested?

I honestly am not sure how iFrame even works. I just know the distant end user needs the iFrame headers to come in so that their dashboard application works on firefox. Thank you so much

dario_garrido · Answer

Hello Drodyc.The iframes should be constructed in your backend server for being delived to your clients.After that, you can use them in a different sites using something like this:&lt;iframe src="https://mydomain.com"&gt;&lt;/iframe&gt;For security reasons, one browser is not going to display iframes not belonging to the domain requested.You can control that using one specific HTTP header called 'X-Frame-Options' (see https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Frame-Options).So you can configure your website to allow iframes from 'mydomain.com' using this HTTP header.X-Frame-Options: ALLOW-FROM https://mydomain.com/This header could be controlled in your backend server o directly in your F5 with an iRule.when HTTP_RESPONSE {
	#X-Frame-Options
	HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
}Regards,Dario.

nikoolayy1 · Answer

I agree with Dario that this seems a job for the Dev Team. F5 has options to modify the content in the server response with Stream profile or HTTP::payload replace but for such a thing it will be complicated:

https://support.f5.com/csp/article/K39394712

https://support.f5.com/csp/article/K7027

https://clouddocs.f5.com/api/irules/STREAM__expression.html

https://clouddocs.f5.com/api/irules/HTTP__payload.html

https://support.f5.com/csp/article/K07535385

drodyc · Answer

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

when HTTP_RESPONSE {
#X-Frame-Options
HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
}

Is it recommended to use this iRule below?

when HTTP_RESPONSE {
HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!

drodyc · Answer

It seems as though our backend server guys would rather us have our BIG-IP to make this work as oppose there servers. I have tried the iRule below. The distant end users reported that it did not work. I used our backend server's URL and our distant end user's URL and both was unsuccessful. Is this iRule below is all I need or am I missing other lines? Should the 1st line be HTTP_RESPONSE or HTTP_REQUEST?

when HTTP_RESPONSE {
#X-Frame-Options
HTTP::header insert X-Frame-Options "ALLOW-FROM https://mydomain.com/"
}

Is it recommended to use this iRule below?

when HTTP_RESPONSE {
HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

Lastly, do I need to modify a DB value in CLI or is that only for APM? Thank you so much!

Forum Discussion

iFrames iRule

4 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

F5 BIG IP laboratory license

F5 mssql health monitor failing

How can I get started with iCall

Connection Rest f5

Related Content

Applying APM on an iframe

iRules Style Guide

iFrame iRule

Managing Model Context Protocol in iRules - Part 3

Managing Model Context Protocol in iRules - Part 1

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS