cancel
Showing results for 
Search instead for 
Did you mean: 
JRahm
Community Manager
Community Manager

Problem this snippet solves:

Centralize the security header management for one or more domains on the recommendation of SecurityHeaders.io.

Be warned!! You can really do damage to your availability if you do not understand these headers and their implications to your client browsers, make sure your header values are tested and vetted before applying to any production traffic.

Background on the headers:

How to use this snippet:

apply this iRule to your virtual servers, once customized for your environment.

Code :

when RULE_INIT {
  set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
  set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
  set static::max_age 15552000
}
when HTTP_REQUEST {
  HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
  #HSTS
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
  #HPKP
  HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains"
  #X-XSS-Protection
  HTTP::header insert X-XSS-Protection "1; mode=block"
  #X-Frame-Options
  HTTP::header insert X-Frame-Options "DENY"
  #X-Content-Type-Options
  HTTP::header insert X-Content-Type-Options "nosniff"
  #CSP
  HTTP::header insert Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
  #CSP for IE
  HTTP::header insert X-Content-Security-Policy "default-src https://devcentral.f5.com/s:443"
}

Tested this on version:

12.0
Comments
DJDX21_252164
Cirrus
Cirrus
If the headers are already present in case of HSTS or Content security policy one can override with the new header by removing the old header Like this: ~~~ when HTTP_RESPONSE { set strictTransportSecurityHeader {"Strict-Transport-Security"} if { [HTTP::header exists $strictTransportSecurityHeader] } { HTTP::header remove $strictTransportSecurityHeader } HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" } ~~~
JRahm
Community Manager
Community Manager
yep, you can remove and insert, or a replace instead.
Vince_212173
Nimbostratus
Nimbostratus

Good stuff

 

Are these possible to insert on APM Webtops? edit added a working irule for this on apm 13.0.

 

when HTTP_RESPONSE { if {!( [HTTP::header "X-XSS-Protection"] eq "1; mode=block") }{ HTTP::header replace X-XSS-Protection "1; mode=block" }

 

if {!( [HTTP::header "X-Content-Type-Options"] eq "nosniff") }{ HTTP::header replace X-Content-Type-Options "nosniff" } if {!( [HTTP::header "Content-Security-Policy"] eq "frame-ancestors *;script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src 'self' data: ; connect-src 'self' wss:;") }{ HTTP::header replace Content-Security-Policy "frame-ancestors *;script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src 'self' data: ; connect-src 'self' wss:;" } log local0. "irule working"

}

 

AlexDeMarco
Nimbostratus
Nimbostratus

What is the purpose of having this: when HTTP_REQUEST { HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" }

 

waleed_osama_23
Nimbostratus
Nimbostratus

I'm really interested to know why the 301 is needed as well, someone please respond if you have any idea

 

JRahm
Community Manager
Community Manager

The 301 should really be only for requests to the http vip. Including the explicit redirect to ssl is considered best practice for capturing the first (pre-hsts-enabled) request.

 

waleed_osama_23
Nimbostratus
Nimbostratus

Hi Jason I have a question on HSTS. Isnt it useless on F5 since it won't serve any non https requests anyway on the VS?

 

JRahm
Community Manager
Community Manager

HSTS isn't a helpful server-side setting anyway, it's a client-side protection you enable on the server-side.

 

Mohanad
Cirrostratus
Cirrostratus

0691T000006AqrLQAS.png

 

i Tried this but not worked

 

James_Gill_4496
Nimbostratus
Nimbostratus

Think your problem might be simply changing "when HTTP_REQUEST" to "when HTTP_RESPONSE"

 

Hope this helps.

 

Mohanad
Cirrostratus
Cirrostratus

Thanks, James, the syntax should be:

 

X-Content-Type-Options: nosniff

 

X-XSS-Protection: 1; mode=block

 

X-Frame-Options: SAMEORIGIN

 

Strict-Transport-Security: max-age=16070400

 

content-security-policy: options and value

 

P_Kueppers
Cirrus
Cirrus

I would recommend this to be done over Policies instead of iRules. Simply go to Local Traffic -> Policies and create a new Policy. From there you can add multiple rules in one policy like something like that:

 

0691T000006AqrdQAC.png 0691T000006AqreQAC.png

 

It used less cpu ressources that iRules and is a bit easier to set up.

 

Arun_LK_202176
Nimbostratus
Nimbostratus

Could you forward the polocies for all the headers shown in the list. Please.

 

P_Kueppers
Cirrus
Cirrus

Sorry for the late answer. Thats not a big deal. You should read a bit about the headers and take your favorite option and write them as same as the example rule above.

 

But I took a few screenshots 😉

 

Insert only if not matched: 0691T000006AqrhQAC.png Insert All Traffic: 0691T000006AqriQAC.png Insert only if not matched: 0691T000006AqrjQAC.png

 

Arun_LK_202176
Nimbostratus
Nimbostratus

Hi Kueppers,

 

Could you assist with Strict-Transport-Security. AM not able to achieve it. Also, any links to headers would be much appreciated.

 

Thanks, Arun.

 

P_Kueppers
Cirrus
Cirrus

Hi Arun,

 

Im so sorry Im replying so late. I didnt get a notification 😞

 

We are not using the Header for STS. But from the example in the first post do something like:

 

"Match all of the following conditions": ALL

 

"Do the following": "Insert" - "http header" - named: "Strict-Transport-Security" with value "max-age=$static::max_age; includeSubDomains"

 

This should work.

 

Infos: https://www.keycdn.com/blog/http-security-headers/

 

Nagesh08_254834
Nimbostratus
Nimbostratus

Hi Jason,

 

After using the above irule in our APM, we are facing the issues. Where users are not able to connect VPN. If i remove the I rule it starts working.

 

Using the above irule is fixing my security header vulnerability issues reported by qualys, but creating VPN issues. How can I overcome this situation?

 

JRahm
Community Manager
Community Manager

Hi Nagesh08, ask a question in Q&A and post the entirety of your iRule there. If not modified for your personal environment, and especially with APM considerations, I wouldn't anticipate it would be a clean drop and insert.

 

Nagesh08_254834
Nimbostratus
Nimbostratus

Hi Jason,

 

code is as same as above,

 

when RULE_INIT { set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=" set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=" set static::max_age 15552000 } when HTTP_REQUEST { HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { HSTS HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains" HPKP HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains" X-XSS-Protection HTTP::header insert X-XSS-Protection "1; mode=block" X-Frame-Options HTTP::header insert X-Frame-Options "DENY" X-Content-Type-Options HTTP::header insert X-Content-Type-Options "nosniff" CSP HTTP::header insert Content-Security-Policy "default-src ; CSP for IE HTTP::header insert X-Content-Security-Policy "default-src ; }

 

As i found the code here, i am seeking your help.

 

Thank you

 

Version history
Last update:
‎14-Mar-2016 14:02
Updated by:
Contributors