For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kimhenriksen's avatar
kimhenriksen
Icon for Cirrocumulus rankCirrocumulus
Jun 16, 2023
Solved

Removing x-frame-options header from response when using APM

Hey everyone! We have an application that uses iframe to load another site that´s apm protected, but the default x-frame-options deny blocks this. Anyone have any ideas on how to bypass this (withou...
application delivery
BIG-IP Access Policy Manager (APM)
headers
security
  • Juergen_Mang's avatar
    Juergen_Mang
    Jun 19, 2023

    This should do the trick.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "x-frame-options"
}

     

Juergen_Mang's avatar
Juergen_Mang
Icon for MVP rankMVP
Jun 19, 2023

This should do the trick.

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "x-frame-options"
}

 

kimhenriksen's avatar
kimhenriksen
Icon for Cirrocumulus rankCirrocumulus
Jun 20, 2023

That´s a negative on that, your irule was almost identical to mine .. except for the first event. But what i added that, the apm policy doesnt fire at all... When i access the vip there is nothing.

    • kimhenriksen's avatar
      kimhenriksen
      Icon for Cirrocumulus rankCirrocumulus
      Jun 28, 2023

      Yes, we had some other issues.. and they just appeared at the same time. The first part was what i was missing, so this will not be forgotten in the future.

       

      when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}