For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Zuke_254875's avatar
Zuke_254875
Icon for Altostratus rankAltostratus
Dec 14, 2016

Insert X-Frame-Options header when specific URI is not used

I am having a tricky time getting an iRule to match criteria. I am trying to get the X-Frame-Options SAMEORIGIN header inserted whenever a URI does NOT match a specific string. Here is the rule I h...
application delivery
BIG-IP
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Dec 14, 2016

Hi Zuke,

you may try the iRule below to conditional inject the X-Frame-Option header...

when HTTP_REQUEST {
    if {     ( [string tolower [HTTP::host]] eq "domain.example.edu" )
     and not ( [string tolower [HTTP::uri]] starts_with "/sites/prod" ) } then {
        set insert_x_frame_options 1
        log local0.debug "[HTTP::host][HTTP::uri] requires x_frame_options"
    } else {
        set insert_x_frame_options 0
        log local0.debug "[HTTP::host][HTTP::uri] does not require x_frame_options"
    }
}
when HTTP_RESPONSE {
    if { $insert_x_frame_options } then {
        HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
        log local0.debug "Injected x_frame_options"
    }
}

Cheers, Kai