cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Johnny_Schmidt_
Historic F5 Account

If you develop and deploy web applications then security is on your mind.  When I want to understand a web security topic I go to OWASP.org, a community dedicated to enabling the world to create trustworthy web applications.


One of my favorite OWASP wiki pages is the list of useful HTTP headers. This page lists a few HTTP headers which, when added to the HTTP responses of an app, enhances its security practically for free. Let’s examine the list…

These headers can be added without concern that they affect application behavior:

  • X-XSS-Protection
    • Forces the enabling of cross-site scripting protection in the browser (useful when the protection may have been disabled)
  • X-Content-Type-Options
    • Prevents browsers from treating a response differently than the Content-Type header indicates

These headers may need some consideration before implementing:

  • Public-Key-Pins
    • Helps avoid *-in-the-middle attacks using forged certificates
  • Strict-Transport-Security
  • X-Frame-Options / Frame-Options
    • Used to avoid "clickjacking", but can break an application; usually you want this
  • Content-Security-Policy / X-Content-Security-Policy / X-Webkit-CSP
    • Provides a policy for how the browser renders an app, aimed at avoiding XSS
  • Content-Security-Policy-Report-Only
    • Similar to CSP above, but only reports, no enforcement


Here is a script that incorporates three of the above headers, which are generally safe to add to any application:

And that's it: About 20 lines of code to add 100 more bytes to the total HTTP response, and enhanced enhanced application security!  Go get your own FREE license and try it today!

Comments
Ahmed_Eissa_206
Nimbostratus
Nimbostratus
i think it can be added with IRULE.... can you give an example ...
Johnny_Schmidt_
Historic F5 Account
This is for LineRate, a software-only product that is completely separate from BIG-IP. iRules is a technology included in BIG-IP, separate from LineRate. That said, the following iRules commands do provide essentially the same functionality as above: when HTTP_RESPONSE { HTTP::header insert X-Frame-Options deny HTTP::header insert X-XSS-Protection 1; mode=block HTTP::header insert X-Content-Type-Options nosniff }
Version history
Last update:
‎11-Jun-2015 12:02
Updated by:
Contributors