SecurityHeaders

Thanks Lidev. I have added a few more header and below is the iRule. However, the vulnerability is gone but the webpage doesn't look right (except IE). Not all images on the webpage are being displayed, position of the sign-in section is moved, etc.,

when HTTP_RESPONSE {

  if {!([HTTP::header exists "X-Frame-Options"])} {

    HTTP::header insert X-Frame-Options "DENY"

  }

if {!([HTTP::header exists "Strict-Transport-Security"])} {

    HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubdomains"

  }

  if {!([HTTP::header exists "X-Content-Type-Options"])} {

    HTTP::header insert X-Content-Type-Options "nosniff"

  }

  if {!([HTTP::header exists "Content-Security-Policy"])} {

   HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; upgrade-insecure-requests"

  }

  if {!([HTTP::header exists "Referrer-Policy"])} {

    HTTP::header insert Referrer-Policy "strict-origin"

  }

  if {!([HTTP::header exists "Feature-Policy"])} {

    HTTP::header insert Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'"

  }

    # Remove all instances of the Server header 

  HTTP::header remove Server

  #Remove all headers starting with x- 

  foreach header_name [HTTP::header names] { 

   if {[string match -nocase x-* $header_name]}{

    HTTP::header remove $header_name 

  } 

}

}