Security Headers Insertion
Problem this snippet solves:
Centralize the security header management for one or more domains on the recommendation of SecurityHeaders.io.
Be warned!! You can really do damage to your availability if you do not understand these headers and their implications to your client browsers, make sure your header values are tested and vetted before applying to any production traffic.
Background on the headers:
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Public-Key-Pins
- Strict-Transport-Security
How to use this snippet:
apply this iRule to your virtual servers, once customized for your environment.
Code :
when RULE_INIT {
set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
set static::max_age 15552000
}
when HTTP_REQUEST {
HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
#HSTS
HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
#HPKP
HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains"
#X-XSS-Protection
HTTP::header insert X-XSS-Protection "1; mode=block"
#X-Frame-Options
HTTP::header insert X-Frame-Options "DENY"
#X-Content-Type-Options
HTTP::header insert X-Content-Type-Options "nosniff"
#CSP
HTTP::header insert Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
#CSP for IE
HTTP::header insert X-Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
}Tested this on version:
12.0Published Mar 14, 2016
Version 1.0
JRahm
Admin
AdminJRahmAdmin
Admin
Fallout1984Cirrocumulus
Here's a link to an online tool to check a site's security headers (in case anyone didn't already have one):
https://geekflare.com/tools/secure-headers-test