For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Dec 15, 2017

iRule to exclude specific URI from http header insert (x-frame-options) on http_response

Attempting to exclude two URI from a http header insert on a HTTP_RESPONSE. Basically if the URI contains "/wp-login.php" or "/wp-admin" i do not want this header applied on the response.

I was previously inserting the header on all http_response: (old)

when HTTP_RESPONSE {
     HTTP::header insert X-FRAME-OPTIONS "SAMEORIGIN"
}

I now need to exclude two URI from receiving the header: (new)

when HTTP_REQUEST {
    if {     ( [string tolower [HTTP::uri]] contains "/wp-login.php" )
     or ( [string tolower [HTTP::uri]] contains "/wp-admin" ) 
    } then {
        set insert_x_frame_options 0
    } else {
        set insert_x_frame_options 1
    }
}
when HTTP_RESPONSE {
    if { $insert_x_frame_options } then {
        HTTP::header insert "X-FRAME-OPTIONS" "SAMEORIGIN"
    }
}

My (new) irule does appear to be working however, i wonder if there is another/better way to accomplish this.

I assume you can not apply "IF uri" logic to a http_response clause. Something like:

when HTTP_RESPONSE {
set low_uri [string tolower [HTTP::uri]]
if { not (
            ( $low_uri contains "/wp-login.php") or 
            ( $low_uri contains "/wp-admin" )
    ) 
} then { 
    HTTP::header insert X-FRAME-OPTIONS "SAMEORIGIN"
}
}

I hope this makes sense, any assistance/thoughts would be appreciated. Many Thanks!

iRules
LTM
security

2 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Dec 17, 2017

    You were almost there!

    Unverified and not tested for syntax errors, but this should work. 🙂

    when HTTP_REQUEST {

    set uri [string tolower [HTTP::uri]]

    if { $uri starts_with "/wp-login.php" or $uri starts_with "/wp-admin" } {
        set xins 0
    } else {
        set xins 1
    }

}

when HTTP_RESPONSE {

    Also verify that the xins variable exists
    if { [info exists xins] && $xins } {
        HTTP::header insert "X-FRAME-OPTIONS" "SAMEORIGIN"
    }

}
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Dec 17, 2017

    Lots of good answers above.

    Just to explain the logic of the required structure reflected in the above irules ...

    HTTP::uri is not valid in HTTP_RESPONSE

    Valid Events:
ASM_REQUEST_DONE, CACHE_REQUEST, CACHE_RESPONSE, HTTP_CLASS_FAILED, HTTP_CLASS_SELECTED,
HTTP_PROXY_REQUEST, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, 
REWRITE_REQUEST_DONE, SERVER_CONNECTED

    So you need to set a flag in HTTP_REQUEST that controls the HTTP_RESPONSE action. I hope this helps.