Forum Discussion

Cirrocumulus

Jun 16, 2023

Solved

Removing x-frame-options header from response when using APM

Hey everyone! We have an application that uses iframe to load another site that´s apm protected, but the default x-frame-options deny blocks this. Anyone have any ideas on how to bypass this (withou...

Juergen_Mang

Jun 19, 2023

This should do the trick.

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "x-frame-options"
}

Juergen_Mang
Jun 20, 2023
The apm policy fires always if it is attached to the vs, unless you add an ACCESS::disable anywhere.

Why ACCESS::restrict_irule_events is required: https://clouddocs.f5.com/api/irules/ACCESS__restrict_irule_events.html

Juergen_Mang

MVP

Jun 19, 2023

This should do the trick.

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "x-frame-options"
}

Forum Discussion

Removing x-frame-options header from response when using APM

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Set x-frames-options header values depending on URI

Remove X- Headers From Web Server Response

Introduction of Incident Response

Remove Whitespace from HTTP Response Payload