For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jonathan_S__Fis's avatar
Jonathan_S__Fis
Icon for Nimbostratus rankNimbostratus
May 20, 2016

is it possible to write a custom http header authentication module? like check a cypto signature and expiration date?

Is it possible to write a custom http header authentication module? If a certain header exists, I'd like to check a cryptographic signature on it and then verify the header hasn't expired.   Is th...
AAM
access access policy manager apm depolyment design dev news security techtip
application delivery
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 20, 2016

Well, yes of course. There's not much you really can't do with iRules (the F5 programmability API), so such a thing would be extremely reasonable.

when HTTP_REQUEST {
    if { [HTTP::header exists MYAUTHHDR] } {
         do something with that header
    }
}

The real question, however, is how you would implement such a thing securely. HTTP headers don't usually provide any sort of challenge-response mechanism, so you'd have to create such a thing, both in iRules AND within the client from scratch, and you'd have to make sure that a) the communication was encrypted, and b) that it is (hopefully) not spoofable.