Forum Discussion

panuwong's avatar
panuwong
Icon for Nimbostratus rankNimbostratus
Feb 24, 2025

iRule

We are using some iRules to mitigate vulnerabilities on URLs. We have mitigated vulnerabilities on one URL based on generic iRules and we have same vulnerabilities in another URL so, we have called same iRule in same sequence on that VIP too but when security team scan URL again no vulnerability is gone. I am not sure why those irules which are working on another URL not working in this URL and there is no specific settings in those iRules all are having generic values.

 

Have any recommend or any sugestion me to check?

 

when HTTP_RESPONSE_RELEASE {
    if {!([HTTP::header exists "X-Frame-Options" ])} {
        HTTP::header insert "X-Frame-Options" "DENY"
    }
    if {!([HTTP::header exists "X-XSS-Protection"])} {
        HTTP::header insert "X-XSS-Protection" "1; mode=block"
    }
    if {!([HTTP::header exists "X-Content-Type-Options"])} {
        HTTP::header insert "X-Content-Type-Options" "nosniff"
    }
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"

devops
security
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Mar 03, 2025

    You need to add logs to work out what is happening:

    when HTTP_RESPONSE_RELEASE {
    log local0.debug "Response to [IP::client_addr]"
    if {!([HTTP::header exists "X-Frame-Options" ])} {
        log local0.debug "X-Frame-Options does not exist, inserting with value DENY"
        HTTP::header insert "X-Frame-Options" "DENY"
    } else {
        log local0.debug "X-Frame-Options exists: [HTTP::header X-Frame-Options]"
    }
    if {!([HTTP::header exists "X-XSS-Protection"])} {
        HTTP::header insert "X-XSS-Protection" "1; mode=block"
    }
    if {!([HTTP::header exists "X-Content-Type-Options"])} {
        HTTP::header insert "X-Content-Type-Options" "nosniff"
    }
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"

    You can also simplify the iRule with the following:

    when HTTP_RESPONSE_RELEASE {
    set headerList [list "X-Frame-Options" "DENY" "X-XSS-Protection" "1; mode=block" "X-Content-Type-Options" "nosniff"  "Strict-Transport-Security" "max-age=16070400; includeSubDomains"
    foreach {name value} $headerList {
         if {!([HTTP::header exists $name ])} {
            log local0.debug "[virtual name]:[IP::client_addr]:[TCP::client_port Header $name does not exist, inserting as $value"
            HTTP::header insert $name $value
          } else {
              log local0.debug "[virtual name]:[IP::client_addr]:[TCP::client_port Header $name exists: [HTTP::header $name]"
          }
    }
}