Forum Discussion

dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Dec 15, 2017

iRule to exclude specific URI from http header insert (x-frame-options) on http_response

Attempting to exclude two URI from a http header insert on a HTTP_RESPONSE. Basically if the URI contains "/wp-login.php" or "/wp-admin" i do not want this header applied on the response.

I was previously inserting the header on all http_response: (old)

when HTTP_RESPONSE {
     HTTP::header insert X-FRAME-OPTIONS "SAMEORIGIN"
}

I now need to exclude two URI from receiving the header: (new)

when HTTP_REQUEST {
    if {     ( [string tolower [HTTP::uri]] contains "/wp-login.php" )
     or ( [string tolower [HTTP::uri]] contains "/wp-admin" ) 
    } then {
        set insert_x_frame_options 0
    } else {
        set insert_x_frame_options 1
    }
}
when HTTP_RESPONSE {
    if { $insert_x_frame_options } then {
        HTTP::header insert "X-FRAME-OPTIONS" "SAMEORIGIN"
    }
}

My (new) irule does appear to be working however, i wonder if there is another/better way to accomplish this.

I assume you can not apply "IF uri" logic to a http_response clause. Something like:

when HTTP_RESPONSE {
set low_uri [string tolower [HTTP::uri]]
if { not (
            ( $low_uri contains "/wp-login.php") or 
            ( $low_uri contains "/wp-admin" )
    ) 
} then { 
    HTTP::header insert X-FRAME-OPTIONS "SAMEORIGIN"
}
}

I hope this makes sense, any assistance/thoughts would be appreciated. Many Thanks!

iRules
LTM
security
  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Dec 17, 2017

    You were almost there!

    Unverified and not tested for syntax errors, but this should work. 🙂

    when HTTP_REQUEST {

    set uri [string tolower [HTTP::uri]]

    if { $uri starts_with "/wp-login.php" or $uri starts_with "/wp-admin" } {
        set xins 0
    } else {
        set xins 1
    }

}

when HTTP_RESPONSE {

    Also verify that the xins variable exists
    if { [info exists xins] && $xins } {
        HTTP::header insert "X-FRAME-OPTIONS" "SAMEORIGIN"
    }

}
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Dec 17, 2017

    Lots of good answers above.

    Just to explain the logic of the required structure reflected in the above irules ...

    HTTP::uri is not valid in HTTP_RESPONSE

    Valid Events:
ASM_REQUEST_DONE, CACHE_REQUEST, CACHE_RESPONSE, HTTP_CLASS_FAILED, HTTP_CLASS_SELECTED,
HTTP_PROXY_REQUEST, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, 
REWRITE_REQUEST_DONE, SERVER_CONNECTED

    So you need to set a flag in HTTP_REQUEST that controls the HTTP_RESPONSE action. I hope this helps.