Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Exploitation_Re's avatar
Exploitation_Re
Icon for Nimbostratus rankNimbostratus
Apr 10, 2019

Irule HTTP header remove

Hi,   I need to do an irule to remove arguments in a response HTTP header.   when HTTP_RESPONSE { HTTP::header remove Server HTTP::header remove X-Powered-By   }   But I...
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 10, 2019

Hi Exploitation Reseau Almerys,

you need to check the HTTP-Path (or HTTP::uri) within the 

HTTP_REQUEST
event and then 
set
a 
$variable
with the outcome of the check (e.g. Boolean 
0|1
). The 
$variable
can then be used to selectively remove HTTP-Response-Headers as needed. 

when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
        "/somepath/file.txt" {
            set remove_header 0
        }
        "/somepath/*" {
            set remove_header 1
        }
        "/somepath/*.txt" {
            set remove_header 0
        }
        "/somepath/*" {
            set remove_header 1
        }
        "/someotherpath/*" {
            set remove_header 1
        }
        "/someotherpath/file.txt" {
             Note this wont work because the previous condition was already triggered.
            set remove_header 0
        }
        default {
            set remove_header 0
        }
    }
}
when HTTP_RESPONSE {
    if { $remove_header == 1 } then {
        HTTP::header remove "Server"
        HTTP::header remove "X-Powered-By"
    }
}

Cheers, Kai