Security Headers Insertion

Problem this snippet solves:

Centralize the security header management for one or more domains on the recommendation of SecurityHeaders.io.

Be warned!! You can really do damage to your availability if you do not understand these headers and their implications to your client browsers, make sure your header values are tested and vetted before applying to any production traffic.

Background on the headers:

How to use this snippet:

apply this iRule to your virtual servers, once customized for your environment.

Code :

when RULE_INIT {
  set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
  set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
  set static::max_age 15552000
}
when HTTP_REQUEST {
  HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
  #HSTS
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
  #HPKP
  HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains"
  #X-XSS-Protection
  HTTP::header insert X-XSS-Protection "1; mode=block"
  #X-Frame-Options
  HTTP::header insert X-Frame-Options "DENY"
  #X-Content-Type-Options
  HTTP::header insert X-Content-Type-Options "nosniff"
  #CSP
  HTTP::header insert Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
  #CSP for IE
  HTTP::header insert X-Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
}

Tested this on version:

12.0
Published Mar 14, 2016
Version 1.0
security

Was this article helpful?

21 Comments

Sort By
  • P_Kueppers's avatar
    P_Kueppers
    Icon for MVP rankMVP
    Jun 05, 2018

    Sorry for the late answer. Thats not a big deal. You should read a bit about the headers and take your favorite option and write them as same as the example rule above.

     

    But I took a few screenshots ;-)

     

    Insert only if not matched: Insert All Traffic: Insert only if not matched:

     

  • DJDX21_252164's avatar
    DJDX21_252164
    Icon for Cirrus rankCirrus
    Mar 18, 2016
    If the headers are already present in case of HSTS or Content security policy one can override with the new header by removing the old header Like this: ~~~ when HTTP_RESPONSE { set strictTransportSecurityHeader {"Strict-Transport-Security"} if { [HTTP::header exists $strictTransportSecurityHeader] } { HTTP::header remove $strictTransportSecurityHeader } HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" } ~~~
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 21, 2016
    yep, you can remove and insert, or a replace instead.
  • magnus78_287184's avatar
    magnus78_287184
    Icon for Cirrus rankCirrus
    Nov 17, 2017

    Are these possible to insert on APM Webtops? edit added a working irule for this on apm 13.0.

    when HTTP_RESPONSE { if {!( [HTTP::header "X-XSS-Protection"] eq "1; mode=block") }{ HTTP::header replace X-XSS-Protection "1; mode=block" }

    if {!( [HTTP::header "X-Content-Type-Options"] eq "nosniff") }{
    HTTP::header replace X-Content-Type-Options "nosniff"
}
if {!( [HTTP::header "Content-Security-Policy"] eq "frame-ancestors *;script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src 'self' data: ; connect-src 'self' wss:;") }{
    HTTP::header replace Content-Security-Policy "frame-ancestors *;script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src 'self' data: ; connect-src 'self' wss:;"
}
    log local0. "irule working"

    }

  • AlexDeMarco's avatar
    AlexDeMarco
    Icon for Nimbostratus rankNimbostratus
    Jan 24, 2018

    What is the purpose of having this: when HTTP_REQUEST { HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" }

     

  • waleed_osama_23's avatar
    waleed_osama_23
    Icon for Nimbostratus rankNimbostratus
    Jan 24, 2018

    I'm really interested to know why the 301 is needed as well, someone please respond if you have any idea

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jan 24, 2018

    The 301 should really be only for requests to the http vip. Including the explicit redirect to ssl is considered best practice for capturing the first (pre-hsts-enabled) request.

     

  • waleed_osama_23's avatar
    waleed_osama_23
    Icon for Nimbostratus rankNimbostratus
    Jan 24, 2018

    Hi Jason I have a question on HSTS. Isnt it useless on F5 since it won't serve any non https requests anyway on the VS?

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jan 25, 2018

    HSTS isn't a helpful server-side setting anyway, it's a client-side protection you enable on the server-side.