cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Pedro_Haoa
F5 Employee
F5 Employee

Problem this snippet solves:

HTTP provides many response headers that your application can use to increase the security of your application.

Once set, these HTTP response headers can restrict modern browsers from running into easily preventable common vulnerabilities.


Using an iRule, you can add a couple of HTTP Response Headers to easily improve your web application security.


To learn more about these and other security headers, refer to the OWASP Secure Headers Project page.

https://owasp.org/www-project-secure-headers/#tab=Headers

How to use this snippet:

  1. Create the iRule for Security Headers.
  2. Assign the iRule to a virtual server and test!

Code :

when HTTP_RESPONSE {
    ### Enforce HTTP Strict Transport Security (HSTS)
    if { !([HTTP::header exists "Strict-Transport-Security"]) } {
      HTTP::header insert "Strict-Transport-Security" "max-age=31536035"
    }
    ### Enables the Cross-site scripting (XSS) filter
    if { !([HTTP::header exists "X-XSS-Protection"]) } {
        HTTP::header insert "X-XSS-Protection" "1;mode=block"
    }
    ### Improve the protection against Clickjacking
    if {!([HTTP::header exists "X-Frame-Options"]) } {
        HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
    }
    ### Prevent the browser from interpreting files as something else than declared by the content type
    if { !([HTTP::header exists "X-Content-Type-Options"]) } {
        HTTP::header insert "X-Content-Type-Options" "nosniff"
   }
}

Tested this on version:

13.0
Comments
Sajid
Cirrostratus
Cirrostratus

Hi Pedro,

 

Thanks for sharing a nice article.

 

Possible to have some knowledge or code sharing for

 

"content-security-policy"

 

Regards,

Sajid

Version history
Last update:
‎22-Mar-2020 18:20
Updated by:
Contributors