cancel
Showing results for 
Search instead for 
Did you mean: 

Inserting X-frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security

Preet_pk
Nimbostratus
Nimbostratus

Hi,

We have multiple web applications running on a single Virtual server with host/domain based pool routing.

For eg:

red.lab.ae

green.lab.ae

irule:

when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
red.lab.ae {
pool Red_Pool1 }

green.lab.ae {
pool Green_Pool1 }

}
}

In order  to mitigate the Qualys security scan threat QID 11827,  Please let me know if there is any option to insert the missing security HTTP response headers only for one host name (for eg - to green.lab.ae only) in rule

 

2 REPLIES 2

Hi Preet_pk,

when HTTP_REQUEST {
	set status 0
	switch [string tolower [HTTP::host]] {
		"red.lab.ae" {
			pool Red_Pool1
		}
		"green.lab.ae" {
			set status 1
			pool Green_Pool1
		}
	}
}

when HTTP_RESPONSE {
	if { $status } {
		if { !([HTTP::header exists "Strict-Transport-Security"]) } {
			HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains;"
		}
		if { !([HTTP::header exists "X-Content-Type-Options"]) } {
			HTTP::header insert "X-Content-Type-Options" "nosniff"
		}
		if { !([HTTP::header exists "X-Frame-Options"]) } {
			HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
		}
		if { !([HTTP::header exists "X-XSS-Protection"]) } {
			HTTP::header insert "X-XSS-Protection" "1; mode=block"
		}
	}
}

You may need to change the header values.

 

Juergen_Mang
Cirrus
Cirrus

Before adding X-XSS-Protection header read this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection