Set x-frames-options header values depending on URI
Hello,
I am trying to write an irule that sets the x-frame-options header value to SAMEORIGIN or a site, unless the URI contains a specific string. In that case I would want the x-frames-option value to be set to ALLOW. The code I have so far is show below, but the header value is always set to SAME origin when I examine headers on the client side, but I'm not sure what I'm missing:
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "/docsAPI" } {
set insertXFrame 1
}
else {
set insertXFrame 0
}
}
when HTTP_RESPONSE {
if {!([HTTP::header exists "X-Frame-Options" ])} {
HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
}
if {!([HTTP::header exists "X-XSS-Protection"])} {
HTTP::header insert "X-XSS-Protection" "1; mode=block"
}
if {!([HTTP::header exists "X-Content-Type-Options"])} {
HTTP::header insert "X-Content-Type-Options" "nosniff"
}
if {!([HTTP::header exists "Strict-Transport-Security"])} {
HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"
}
if { $insert_xframe } then {
HTTP::header insert "X-Frame-Options" "ALLOWED"
}
}
Would appreciate any thoughts or suggestions.
Thank you.
Chris
Hi Chris,
pay attention to use of "string tolower".
[string tolower [HTTP::uri]] contains "/docsapi"