Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Randell_375239's avatar
Randell_375239
Icon for Nimbostratus rankNimbostratus
Oct 23, 2018

Inserting multiple values for the same HTTP Header

Hi,   I'm trying to insert 2 values for the HTTP header X-Frame-Options and wasn't sure what the correct syntax is. The following doesn't seem to work:   when HTTP_RESPONSE { HTTP::header ...
application delivery
irules
crodriguez's avatar
crodriguez
Ret. Employee
Oct 23, 2018

Per RFC 7034 HTTP Header Field X-Frame-Options:

   The header field name is:

      X-Frame-Options

   There are three different values for the header field.  These values
   are mutually exclusive; that is, the header field MUST be set to
   exactly one of the three values.

I interpret that to mean you can't specify multiple X-Frame-Options headers to achieve a combination of options. My guess is that, even if you did specify multiple X-Frame-Options headers in the response, only one will ever be honored by the browser, and the only question is which one - the first or the second - since they are mutually exclusive.

I'm not an expert but I've seen some articles that indicate you might be able to do this with the Content-Security-Policy frame-ancestors directive, which does support multiple origins.