Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

Problem this snippet solves:

HTTP provides many response headers that your application can use to increase the security of your application.

Once set, these HTTP response headers can restrict modern browsers from running into easily preventable common vulnerabilities.


Using an iRule, you can add a couple of HTTP Response Headers to easily improve your web application security.


To learn more about these and other security headers, refer to the OWASP Secure Headers Project page.

https://owasp.org/www-project-secure-headers/#tab=Headers

How to use this snippet:

  1. Create the iRule for Security Headers.
  2. Assign the iRule to a virtual server and test!

Code :

when HTTP_RESPONSE {
    ### Enforce HTTP Strict Transport Security (HSTS)
    if { !([HTTP::header exists "Strict-Transport-Security"]) } {
      HTTP::header insert "Strict-Transport-Security" "max-age=31536035"
    }
    ### Enables the Cross-site scripting (XSS) filter
    if { !([HTTP::header exists "X-XSS-Protection"]) } {
        HTTP::header insert "X-XSS-Protection" "1;mode=block"
    }
    ### Improve the protection against Clickjacking
    if {!([HTTP::header exists "X-Frame-Options"]) } {
        HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
    }
    ### Prevent the browser from interpreting files as something else than declared by the content type
    if { !([HTTP::header exists "X-Content-Type-Options"]) } {
        HTTP::header insert "X-Content-Type-Options" "nosniff"
   }
}

Tested this on version:

13.0
Published Mar 23, 2020
Version 1.0
application delivery
LTM
security
  • Sajid's avatar
    Sajid
    Icon for Cirrostratus rankCirrostratus
    Apr 20, 2020

    Hi Pedro,

     

    Thanks for sharing a nice article.

     

    Possible to have some knowledge or code sharing for

     

    "content-security-policy"

     

    Regards,

    Sajid