Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

Problem this snippet solves:

HTTP provides many response headers that your application can use to increase the security of your application.

Once set, these HTTP response headers can restrict modern browsers from running into easily preventable common vulnerabilities.


Using an iRule, you can add a couple of HTTP Response Headers to easily improve your web application security.


To learn more about these and other security headers, refer to the OWASP Secure Headers Project page.

https://owasp.org/www-project-secure-headers/#tab=Headers

How to use this snippet:

  1. Create the iRule for Security Headers.
  2. Assign the iRule to a virtual server and test!

Code :

when HTTP_RESPONSE {
    ### Enforce HTTP Strict Transport Security (HSTS)
    if { !([HTTP::header exists "Strict-Transport-Security"]) } {
      HTTP::header insert "Strict-Transport-Security" "max-age=31536035"
    }
    ### Enables the Cross-site scripting (XSS) filter
    if { !([HTTP::header exists "X-XSS-Protection"]) } {
        HTTP::header insert "X-XSS-Protection" "1;mode=block"
    }
    ### Improve the protection against Clickjacking
    if {!([HTTP::header exists "X-Frame-Options"]) } {
        HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
    }
    ### Prevent the browser from interpreting files as something else than declared by the content type
    if { !([HTTP::header exists "X-Content-Type-Options"]) } {
        HTTP::header insert "X-Content-Type-Options" "nosniff"
   }
}

Tested this on version:

13.0
Published Mar 22, 2020
Version 1.0
Pedro_Haoa's avatar
Ret. Employee
Solutions Engineer at F5 Networks | Cybersecurity Enthusiast | Cloud Security Advisor | Technical Sales Specialist | NGINX Champion | DevCentral Advocate
View Profile

1 Comment

No CommentsBe the first to comment