Security Headers Insertion

Problem this snippet solves:

Centralize the security header management for one or more domains on the recommendation of SecurityHeaders.io.

Be warned!! You can really do damage to your availability if you do not understand these headers and their implications to your client browsers, make sure your header values are tested and vetted before applying to any production traffic.

Background on the headers:

How to use this snippet:

apply this iRule to your virtual servers, once customized for your environment.

Code :

when RULE_INIT {
  set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
  set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
  set static::max_age 15552000
}
when HTTP_REQUEST {
  HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
  #HSTS
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
  #HPKP
  HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains"
  #X-XSS-Protection
  HTTP::header insert X-XSS-Protection "1; mode=block"
  #X-Frame-Options
  HTTP::header insert X-Frame-Options "DENY"
  #X-Content-Type-Options
  HTTP::header insert X-Content-Type-Options "nosniff"
  #CSP
  HTTP::header insert Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
  #CSP for IE
  HTTP::header insert X-Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
}

Tested this on version:

12.0
Published Mar 14, 2016
Version 1.0
security
  • James_Gill_4496's avatar
    James_Gill_4496
    Icon for Nimbostratus rankNimbostratus
    May 09, 2018

    Think your problem might be simply changing "when HTTP_REQUEST" to "when HTTP_RESPONSE"

     

    Hope this helps.

     

  • Mohanad's avatar
    Mohanad
    Icon for Cirrostratus rankCirrostratus
    May 13, 2018

    Thanks, James, the syntax should be:

     

    X-Content-Type-Options: nosniff

     

    X-XSS-Protection: 1; mode=block

     

    X-Frame-Options: SAMEORIGIN

     

    Strict-Transport-Security: max-age=16070400

     

    content-security-policy: options and value

     

  • P_Kueppers's avatar
    P_Kueppers
    Icon for MVP rankMVP
    May 16, 2018

    I would recommend this to be done over Policies instead of iRules. Simply go to Local Traffic -> Policies and create a new Policy. From there you can add multiple rules in one policy like something like that:

     

     

    It used less cpu ressources that iRules and is a bit easier to set up.

     

  • Arun_LK_202176's avatar
    Arun_LK_202176
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2018

    Hi Kueppers,

     

    Could you assist with Strict-Transport-Security. AM not able to achieve it. Also, any links to headers would be much appreciated.

     

    Thanks, Arun.

     

  • P_Kueppers's avatar
    P_Kueppers
    Icon for MVP rankMVP
    Sep 28, 2018

    Hi Arun,

     

    Im so sorry Im replying so late. I didnt get a notification :(

     

    We are not using the Header for STS. But from the example in the first post do something like:

     

    "Match all of the following conditions": ALL

     

    "Do the following": "Insert" - "http header" - named: "Strict-Transport-Security" with value "max-age=$static::max_age; includeSubDomains"

     

    This should work.

     

    Infos: https://www.keycdn.com/blog/http-security-headers/

     

  • Nagesh08_254834's avatar
    Nagesh08_254834
    Icon for Nimbostratus rankNimbostratus
    Oct 11, 2018

    Hi Jason,

     

    After using the above irule in our APM, we are facing the issues. Where users are not able to connect VPN. If i remove the I rule it starts working.

     

    Using the above irule is fixing my security header vulnerability issues reported by qualys, but creating VPN issues. How can I overcome this situation?

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 11, 2018

    Hi Nagesh08, ask a question in Q&A and post the entirety of your iRule there. If not modified for your personal environment, and especially with APM considerations, I wouldn't anticipate it would be a clean drop and insert.

     

  • Nagesh08_254834's avatar
    Nagesh08_254834
    Icon for Nimbostratus rankNimbostratus
    Oct 12, 2018

    Hi Jason,

     

    code is as same as above,

     

    when RULE_INIT { set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=" set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=" set static::max_age 15552000 } when HTTP_REQUEST { HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { HSTS HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains" HPKP HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains" X-XSS-Protection HTTP::header insert X-XSS-Protection "1; mode=block" X-Frame-Options HTTP::header insert X-Frame-Options "DENY" X-Content-Type-Options HTTP::header insert X-Content-Type-Options "nosniff" CSP HTTP::header insert Content-Security-Policy "default-src ; CSP for IE HTTP::header insert X-Content-Security-Policy "default-src ; }

     

    As i found the code here, i am seeking your help.

     

    Thank you