X-Frame-Options with deny does not block iframe

Question

I have an iRule as follows:when HTTP_RESPONSE {   &nbsp;&nbsp; if {!([HTTP::header exists "X-Frame-Options"])} {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HTTP::header insert X-Frame-Options "DENY"&nbsp;&nbsp; }}&nbsp;I expected the following page was blocked.&lt;html&gt;&nbsp;&lt;iframe src="https://abc.org/wfc/logon" title="description"&gt;&lt;/iframe&gt;&nbsp;&lt;head&gt;&lt;/head&gt;&nbsp;&lt;body&gt;&nbsp;&lt;/body&gt;&lt;/html&gt;&nbsp;But it was not blocked.What did I miss here ?&nbsp;thanks !!

gongya · Answer

After more reading, it seems the x-frame-options prevents the page in my server from being loaded by someone else, right ?

If I loaded another page in the same server within iframe, the page should be loaded ?

When I tested it, the page was still loaded within <iframe> page </iframe>. Is this supposed to be?

gongya · Answer

How can I test a page blocked by x-frame-options DENY ?&nbsp;

gongya · Answer

I figured it out.  thanks !!

Forum Discussion

X-Frame-Options with deny does not block iframe

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Removing x-frame-options header from response when using APM

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Set x-frames-options header values depending on URI

Applying APM on an iframe

Block traffic