Forum Discussion
Inserting X-frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security
Hi,
We have multiple web applications running on a single Virtual server with host/domain based pool routing.
For eg:
red.lab.ae
green.lab.ae
irule:
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
red.lab.ae {
pool Red_Pool1 }
green.lab.ae {
pool Green_Pool1 }
}
}
In order to mitigate the Qualys security scan threat QID 11827, Please let me know if there is any option to insert the missing security HTTP response headers only for one host name (for eg - to green.lab.ae only) in rule
Hi Preet_pk,
when HTTP_REQUEST { set status 0 switch [string tolower [HTTP::host]] { "red.lab.ae" { pool Red_Pool1 } "green.lab.ae" { set status 1 pool Green_Pool1 } } } when HTTP_RESPONSE { if { $status } { if { !([HTTP::header exists "Strict-Transport-Security"]) } { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains;" } if { !([HTTP::header exists "X-Content-Type-Options"]) } { HTTP::header insert "X-Content-Type-Options" "nosniff" } if { !([HTTP::header exists "X-Frame-Options"]) } { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([HTTP::header exists "X-XSS-Protection"]) } { HTTP::header insert "X-XSS-Protection" "1; mode=block" } } }
You may need to change the header values.
Before adding X-XSS-Protection header read this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com