Forum Discussion
panuwong
Nimbostratus
NimbostratusiRule
We are using some iRules to mitigate vulnerabilities on URLs. We have mitigated vulnerabilities on one URL based on generic iRules and we have same vulnerabilities in another URL so, we have called s...
PeteWhite
Employee
EmployeeYou need to add logs to work out what is happening:
when HTTP_RESPONSE_RELEASE {
log local0.debug "Response to [IP::client_addr]"
if {!([HTTP::header exists "X-Frame-Options" ])} {
log local0.debug "X-Frame-Options does not exist, inserting with value DENY"
HTTP::header insert "X-Frame-Options" "DENY"
} else {
log local0.debug "X-Frame-Options exists: [HTTP::header X-Frame-Options]"
}
if {!([HTTP::header exists "X-XSS-Protection"])} {
HTTP::header insert "X-XSS-Protection" "1; mode=block"
}
if {!([HTTP::header exists "X-Content-Type-Options"])} {
HTTP::header insert "X-Content-Type-Options" "nosniff"
}
if {!([HTTP::header exists "Strict-Transport-Security"])} {
HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"You can also simplify the iRule with the following:
when HTTP_RESPONSE_RELEASE {
set headerList [list "X-Frame-Options" "DENY" "X-XSS-Protection" "1; mode=block" "X-Content-Type-Options" "nosniff" "Strict-Transport-Security" "max-age=16070400; includeSubDomains"
foreach {name value} $headerList {
if {!([HTTP::header exists $name ])} {
log local0.debug "[virtual name]:[IP::client_addr]:[TCP::client_port Header $name does not exist, inserting as $value"
HTTP::header insert $name $value
} else {
log local0.debug "[virtual name]:[IP::client_addr]:[TCP::client_port Header $name exists: [HTTP::header $name]"
}
}
}
