security headers

Question

I need some help trying to figure out why my standard security headers are not being applied to a specific VIP. I am inserting X-FRAME-OPTIONS, X-XSS-PROTECTION,CONTENT-SECURITY-POLICY to all my Virtual Servers using an irule. for all VS they work if you scan the DNS NAME (using nmap or securityheaders.io) but if I scan using the IP all but 1 VS passes (just 1 VIP shows no headers, it does show HSTS which I am applying through a policy though. Any thoughts as to why 1 VIP would behave differently than the others?

samstep · Answer

It is difficult to say without understanding your configuration - most likely it is configuration mistake somewhere on that VIP. Is it possible that you have 2 VIPs - one listening on port 80 and another on port 443 and you applied iRule just to one of them?

Forum Discussion

security headers

Recent Discussions

NetScaler to F5 Migration

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Related Content

Security Headers Insertion

Security headers

iRule to modify a content-security-policy header

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

AppWorld 2025 Security Insights - ADC 3.0, AI Security, and more

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS