Forum Discussion
Zach_C_355943
Mar 16, 2018Nimbostratus
Issues with X-XSS Protection HTTP Header
Hey folks, we recently implemented some HTTP headers onto our F5 irules and recently noticed that one of them (X-XSS-Protection) isn't showing up.
At the moment, we have them in place in our irule ...
- Apr 25, 2018
Following up! Turns out the answer is we needed to have these headers under "HTTP_RESPONSE" (not REQUEST). What it looks like in a working state in our irules:
when HTTP_RESPONSE { HTML Headers for PCI failures if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" } if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" } }
Lee_Sutcliffe
Mar 16, 2018Nacreous
At first glance I can't see anything wrong with your iRule. Could you try the following? I've added logging to the X-XSS-Protection if statement to see if it already exists and what it's value is.
Have you also tried this in a web browser developer window and received the same results?
when HTTP_REQUEST {
if { !([HTTP::header exists "X-Frame-Options"])} {
HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
}
if { !([HTTP::header exists "X-XSS-Protection"])} {
HTTP::header insert "X-XSS-Protection" "1; mode=block"
} else {
log local0. "Header X-XSS-Protection exists, Value:[HTTP::header value X-XSS-Protection]"
}
if { !([HTTP::header exists "X-Content-Type-Options"])} {
HTTP::header insert "X-Content-Type-Options" "'nosniff'"
}
}
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects