For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Hotchkiss's avatar
Chris_Hotchkiss
Icon for Nimbostratus rankNimbostratus
Feb 29, 2012

iRule to mitigate CSRF

Some of our application developers are asking about an iRule that could possibly insert a nonce onto a page during a session that would help prevent a cross-site request forgery from happening. Unfortunately the native software doesn't do this and has said it will be a couple of months before they can get it fixed.

 

 

I've written a few iRules but was hoping to knock this out quickly if someone could point me in the right direction. Thanks.

 

application delivery
dev
devops
iRules

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 29, 2012
    Hi Chris,

     

     

    There is built in functionality to do this in the Application Security Manager (ASM). I guess it's technically possible to do in an iRule--but it would be complicated to try to parse each parameter from the response HTML and inject the nonce.

     

     

    Aaron