Security Headers Insertion
Problem this snippet solves:
Centralize the security header management for one or more domains on the recommendation of SecurityHeaders.io.
Be warned!! You can really do damage to your availability if you do not understand these headers and their implications to your client browsers, make sure your header values are tested and vetted before applying to any production traffic.
Background on the headers:
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Public-Key-Pins
- Strict-Transport-Security
How to use this snippet:
apply this iRule to your virtual servers, once customized for your environment.
Code :
when RULE_INIT { set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=" set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=" set static::max_age 15552000 } when HTTP_REQUEST { HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { #HSTS HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains" #HPKP HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains" #X-XSS-Protection HTTP::header insert X-XSS-Protection "1; mode=block" #X-Frame-Options HTTP::header insert X-Frame-Options "DENY" #X-Content-Type-Options HTTP::header insert X-Content-Type-Options "nosniff" #CSP HTTP::header insert Content-Security-Policy "default-src https://devcentral.f5.com/s:443" #CSP for IE HTTP::header insert X-Content-Security-Policy "default-src https://devcentral.f5.com/s:443" }
Tested this on version:
12.021 Comments
- If the headers are already present in case of HSTS or Content security policy one can override with the new header by removing the old header Like this: ~~~ when HTTP_RESPONSE { set strictTransportSecurityHeader {"Strict-Transport-Security"} if { [HTTP::header exists $strictTransportSecurityHeader] } { HTTP::header remove $strictTransportSecurityHeader } HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" } ~~~
- JRahm
Admin
yep, you can remove and insert, or a replace instead. - Vince_212173
Nimbostratus
Good stuff
Are these possible to insert on APM Webtops? edit added a working irule for this on apm 13.0.
when HTTP_RESPONSE { if {!( [HTTP::header "X-XSS-Protection"] eq "1; mode=block") }{ HTTP::header replace X-XSS-Protection "1; mode=block" }
log local0. "irule working"if {!( [HTTP::header "X-Content-Type-Options"] eq "nosniff") }{ HTTP::header replace X-Content-Type-Options "nosniff" } if {!( [HTTP::header "Content-Security-Policy"] eq "frame-ancestors *;script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src 'self' data: ; connect-src 'self' wss:;") }{ HTTP::header replace Content-Security-Policy "frame-ancestors *;script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline' ; img-src 'self' data: ; connect-src 'self' wss:;" }
}
- AlexDeMarco
Nimbostratus
What is the purpose of having this: when HTTP_REQUEST { HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]" }
- waleed_osama_23
Nimbostratus
I'm really interested to know why the 301 is needed as well, someone please respond if you have any idea
- JRahm
Admin
The 301 should really be only for requests to the http vip. Including the explicit redirect to ssl is considered best practice for capturing the first (pre-hsts-enabled) request.
- waleed_osama_23
Nimbostratus
Hi Jason I have a question on HSTS. Isnt it useless on F5 since it won't serve any non https requests anyway on the VS?
- JRahm
Admin
HSTS isn't a helpful server-side setting anyway, it's a client-side protection you enable on the server-side.
- Mohanad
Cirrostratus
i Tried this but not worked