Configuring X-Frame-Options Allow-From
Hi All, I have been asked by the business to configure X-Frame-Options Allow-From in the response header. Quick search gave me the below iRule, when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “SAMEORIGIN)”} However, the value of the XFO is to be Allow-From. Can anyone please look into this for an appropriate iRule. Thanks in advance, MSK
X-Frame-Options: SAMEORIGIN header Question
Alright DC Community! This came in thru twitter and thought I'd ask on behalf of Stefán Jökull Sigurðarson (@stebets)/DC Member, Stebet: Does anyone know how an X-Frame-Options: SAMEORIGIN header could start appearing after adding a separate Content-Security-Policy header in an app? I'm suspecting something within our @F5Networks LB? Anyone seen this? It only got added after I put in my CSP header on the app-side of things though. So I'm curious if it's some sort of automatic thing to do if a CSP header is detected? It was removed easily enough with an iRule though. @jasonrahm replied: If using CSP frame-ancestors self should invalidate need for x-frame-options, but if you are not explicitly setting it must be gathered in a policy check somewhere before the app response is released. Previous Q/As also discuss clickjacking and methods to mitigate. Any other suggestions? Let's give him some advice! And, as always, appreciate the help! ps
