Forum Discussion

Nimbostratus

Feb 23, 2025

iRule

We are using some iRules to mitigate vulnerabilities on URLs. We have mitigated vulnerabilities on one URL based on generic iRules and we have same vulnerabilities in another URL so, we have called s...

devops

security

PeteWhite

Employee

Mar 03, 2025

You need to add logs to work out what is happening:

when HTTP_RESPONSE_RELEASE {
    log local0.debug "Response to [IP::client_addr]"
    if {!([HTTP::header exists "X-Frame-Options" ])} {
        log local0.debug "X-Frame-Options does not exist, inserting with value DENY"
        HTTP::header insert "X-Frame-Options" "DENY"
    } else {
        log local0.debug "X-Frame-Options exists: [HTTP::header X-Frame-Options]"
    }
    if {!([HTTP::header exists "X-XSS-Protection"])} {
        HTTP::header insert "X-XSS-Protection" "1; mode=block"
    }
    if {!([HTTP::header exists "X-Content-Type-Options"])} {
        HTTP::header insert "X-Content-Type-Options" "nosniff"
    }
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"

You can also simplify the iRule with the following:

when HTTP_RESPONSE_RELEASE {
    set headerList [list "X-Frame-Options" "DENY" "X-XSS-Protection" "1; mode=block" "X-Content-Type-Options" "nosniff"  "Strict-Transport-Security" "max-age=16070400; includeSubDomains"
    foreach {name value} $headerList {
         if {!([HTTP::header exists $name ])} {
            log local0.debug "[virtual name]:[IP::client_addr]:[TCP::client_port Header $name does not exist, inserting as $value"
            HTTP::header insert $name $value
          } else {
              log local0.debug "[virtual name]:[IP::client_addr]:[TCP::client_port Header $name exists: [HTTP::header $name]"
          }
    }
}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)