iRule to mitigate CSRF

Question

Some of our application developers are asking about an iRule that could possibly insert a nonce onto a page during a session that would help prevent a cross-site request forgery from happening. Unfortunately the native software doesn't do this and has said it will be a couple of months before they can get it fixed. &nbsp;
&nbsp;I've written a few iRules but was hoping to knock this out quickly if someone could point me in the right direction. Thanks.&nbsp;

hooleylist · Answer

Hi Chris, 
&nbsp;  
&nbsp; There is built in functionality to do this in the Application Security Manager (ASM).  I guess it's technically possible to do in an iRule--but it would be complicated to try to parse each parameter from the response HTML and inject the nonce. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

iRule to mitigate CSRF

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Mitigating OWASP API Security Top 10 risks using F5 NGINX App Protect

Vulnerability Mitigation

Open redirect mitigation

Mitigating recent HTTP/2 DoS vulnerabilities with BIG-IP

Mitigating Unwanted Communication On Your Service Network

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS