Zach_C_355943
Mar 16, 2018Nimbostratus
Issues with X-XSS Protection HTTP Header
Hey folks, we recently implemented some HTTP headers onto our F5 irules and recently noticed that one of them (X-XSS-Protection) isn't showing up.
At the moment, we have them in place in our irule as such:
when HTTP_REQUEST {
if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}
When we run a curl URL -I against the site, it returns the X-Content-Type-Options and X-Frame-Options headers, but not the X-XSS-Protection header. Is there something we're doing wrong?
Thanks!
Following up! Turns out the answer is we needed to have these headers under "HTTP_RESPONSE" (not REQUEST). What it looks like in a working state in our irules:
when HTTP_RESPONSE { HTML Headers for PCI failures if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" } if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" } }