F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!
on 22-Mar-2020 18:20
Problem this snippet solves:
HTTP provides many response headers that your application can use to increase the security of your application.
Once set, these HTTP response headers can restrict modern browsers from running into easily preventable common vulnerabilities.
Using an iRule, you can add a couple of HTTP Response Headers to easily improve your web application security.
To learn more about these and other security headers, refer to the OWASP Secure Headers Project page.
https://owasp.org/www-project-secure-headers/#tab=Headers
How to use this snippet:
Code :
when HTTP_RESPONSE { ### Enforce HTTP Strict Transport Security (HSTS) if { !([HTTP::header exists "Strict-Transport-Security"]) } { HTTP::header insert "Strict-Transport-Security" "max-age=31536035" } ### Enables the Cross-site scripting (XSS) filter if { !([HTTP::header exists "X-XSS-Protection"]) } { HTTP::header insert "X-XSS-Protection" "1;mode=block" } ### Improve the protection against Clickjacking if {!([HTTP::header exists "X-Frame-Options"]) } { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } ### Prevent the browser from interpreting files as something else than declared by the content type if { !([HTTP::header exists "X-Content-Type-Options"]) } { HTTP::header insert "X-Content-Type-Options" "nosniff" } }
Tested this on version:
Hi Pedro,
Thanks for sharing a nice article.
Possible to have some knowledge or code sharing for
"content-security-policy"
Regards,
Sajid
