Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Set x-frames-options header values depending on URI

Go to solution
Chris_Baiocchet
Nimbostratus
Nimbostratus

‎24-Sep-2020 10:40

Hello,

 

I am trying to write an irule that sets the x-frame-options header value to SAMEORIGIN or a site, unless the URI contains a specific string. In that case I would want the x-frames-option value to be set to ALLOW. The code I have so far is show below, but the header value is always set to SAME origin when I examine headers on the client side, but I'm not sure what I'm missing:

 

when HTTP_REQUEST {

  if { [string tolower [HTTP::uri]] contains "/docsAPI" } {

    set insertXFrame 1

  }

  else {

    set insertXFrame 0

  }

}

when HTTP_RESPONSE {

  if {!([HTTP::header exists "X-Frame-Options" ])} {

    HTTP::header insert "X-Frame-Options" "SAMEORIGIN"

  }

  if {!([HTTP::header exists "X-XSS-Protection"])} {

    HTTP::header insert "X-XSS-Protection" "1; mode=block"

  }

  if {!([HTTP::header exists "X-Content-Type-Options"])} {

    HTTP::header insert "X-Content-Type-Options" "nosniff"

  }

  if {!([HTTP::header exists "Strict-Transport-Security"])} {

    HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains"

  }

  if { $insert_xframe } then {

    HTTP::header insert "X-Frame-Options" "ALLOWED"

  }

}

 

Would appreciate any thoughts or suggestions.

 

Thank you.

 

Chris

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Enes_Afsin_Al
MVP
MVP

‎24-Sep-2020 13:33 - last edited on ‎04-Jun-2023 21:17 by Fog

Hi Chris,

pay attention to use of "string tolower".

[string tolower [HTTP::uri]] contains "/docsapi"

View solution in original post

3 REPLIES 3

Go to solution
Enes_Afsin_Al
MVP
MVP

‎24-Sep-2020 13:33 - last edited on ‎04-Jun-2023 21:17 by Fog

Hi Chris,

pay attention to use of "string tolower".

[string tolower [HTTP::uri]] contains "/docsapi"

Go to solution
Chris_Baiocchet
Nimbostratus
Nimbostratus
In response to Enes_Afsin_Al

‎24-Sep-2020 14:18

Of course!!!

Thank you. case sensitivity always gets me 🙂

0 Kudos

Go to solution
hedmondjohn
Nimbostratus
Nimbostratus

‎22-May-2022 23:20

X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.

 

0 Kudos
Copyright © 2023 Khoros, LLC