cancel
Showing results for 
Search instead for 
Did you mean: 

Conditional policy for security header based on URI path

Kevin_Lange
Nimbostratus
Nimbostratus

I'm struggling to get a conditional policy based on URI to work properly. I'm trying to set X-Frame-Options based on paths, such that the header is more relaxed on specific paths, but more strict on anything else. The below code results in ALLOWALL for pretty much everything. I'm fairly certain the application is sending ALLOWALL for everything. I'm just trying to enforce defaults at the LTM, permiting conditional.

 

     "X-Frame-Options header SAMEORIGIN" {            actions {                0 {                    http-header                    response                    replace                    name X-Frame-Options                    value SAMEORIGIN                }            }            conditions {                0 {                    http-uri                    path not                    starts-with                    values { /path-a/ /path-b/subpath/ /path-c/                }                1 {                    http-header                    response                    name X-Frame-Options                    not                    contains                    values { SAMEORIGIN }                }            }            ordinal 3        }        "X-Frame-Options header ALLOWALL" {            actions {                0 {                    http-header                    response                    replace                    name X-Frame-Options                    value ALLOWALL                }            }            conditions {                0 {                    http-uri                    path                    starts-with                    values { /path-a/ /path-b/subpath/ /path-c/ }                }                1 {                    http-header                    response                    name X-Frame-Options                    not                    contains                    values { ALLOWALL }                }            }            ordinal 2
1 REPLY 1

nathe
Cirrocumulus
Cirrocumulus

Kevin, do you have a OneConnect profile attached to the VS? Also see K15097 to see if this looks to explain what you are seeing, even though this references Pools and not headers.

 

Hope this helps

 

N