Forum Discussion
LTM Management UI Security Settings
I am having similar issue after security audit. :
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN".
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.
I was able to remediate all my issues with the following irules for each:
when HTTP_RESPONSE {
if { !([ HTTP::header exists "content-security-policy " ])} { HTTP::header insert "content-security-policy" "default-src 'self';" } }
when HTTP_RESPONSE {
HTTP::header replace X-Frame-Options "SAMEORIGIN"
}
when HTTP_RESPONSE {
if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options: nosniff" }}
Referrer Policy (this resolved the Feature Policy as well):
when HTTP_REQUEST {
switch -glob [HTTP::header "Referer"] {
"http://www.tssdev.ae.com/*" {
# Allow Request to go through...
}
"" {
HTTP::respond 200 content ""
}
default {
HTTP::redirect [HTTP::header "Referer"]
}
}
}
***for header related tests, check out https://securityheaders.com/" ***
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com