Forum Discussion
lossless_186906
Nimbostratus
NimbostratusInsert X-Frame-Options Header using LTM Policy
I am looking to insert X-Frame-Options header usnig LTM Policy instead of iRules (less resource intensive). Has anyone done it and can confirm if the following would work please or can suggest a better way?
ltm policy policy_HTTP_Security_Headers {
requires { http }
rules {
Insert_X-Frame-Options_Header {
actions {
0 {
http-header
response
insert
name X-Frame-Options
value SAMEORIGIN
}
}
conditions {
0 {
http-header
response
name X-Frame-Options
not
values { SAMEORIGIN }
}
}
ordinal 1
}
}
strategy all-match
}
Would this insert the header if it's missing or only replace it if does not contain the correct value? Thank you in advance.
Regards, Los
- Kevin_Stewart
Employee
This policy would insert the X-Frame-Options header in the response if the server's response didn't include an X-Frame-Options header with the value "SAMEORIGIN".
lossless_186906Just want to update all that I finally implemented the policy and it works perfectly. Ended up adding X-Frame-Options as well as X-XSS-Protection headers. Below is the code for everyone that is looking to do the same:
ltm policy policy_HTTP_Security_Headers { requires { http } rules { rule_Insert_X-Frame-Options_Header { actions { 0 { http-header response insert name X-Frame-Options value SAMEORIGIN } } conditions { 0 { http-header response name X-Frame-Options not values { SAMEORIGIN } } } ordinal 2 } rule_Insert_X-XSS-Protection_Header { actions { 0 { http-header response insert name X-XSS-Protection value "1;mode=block" } } conditions { 0 { http-header response name X-XSS-Protection not values { "1;mode=block" "1; mode=block" } } } ordinal 1 } } strategy all-match }Cheers, L
