cancel
Showing results for 
Search instead for 
Did you mean: 

SecurityHeaders

mahanth
Altostratus
Altostratus

Can we add the missing headers and remove the RAW headers using an iRule

Missing Headers: Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Feature-Policy

Remove RAW Headers: Server, X-AspNetMvc-Version, X-AspNet-Version, X-Powered-By

2 REPLIES 2

Lidev
MVP
MVP

Hi mahanth,

To add Security headers take a look on this topic : https://devcentral.f5.com/s/articles/security-headers-insertion

https://support.f5.com/csp/article/K04436209

mahanth
Altostratus
Altostratus

Thanks Lidev. I have added a few more header and below is the iRule. However, the vulnerability is gone but the webpage doesn't look right (except IE). Not all images on the webpage are being displayed, position of the sign-in section is moved, etc.,

 

when HTTP_RESPONSE {

  if {!([HTTP::header exists "X-Frame-Options"])} {

    HTTP::header insert X-Frame-Options "DENY"

  }

if {!([HTTP::header exists "Strict-Transport-Security"])} {

    HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubdomains"

  }

  if {!([HTTP::header exists "X-Content-Type-Options"])} {

    HTTP::header insert X-Content-Type-Options "nosniff"

  }

  if {!([HTTP::header exists "Content-Security-Policy"])} {

   HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; upgrade-insecure-requests"

  }

  if {!([HTTP::header exists "Referrer-Policy"])} {

    HTTP::header insert Referrer-Policy "strict-origin"

  }

  if {!([HTTP::header exists "Feature-Policy"])} {

    HTTP::header insert Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'"

  }

   

    # Remove all instances of the Server header 

  HTTP::header remove Server

  

  #Remove all headers starting with x- 

  foreach header_name [HTTP::header names] { 

  

    

   if {[string match -nocase x-* $header_name]}{

    HTTP::header remove $header_name 

  } 

}

}