Removing x-frame-options header from response when using APM

Question

Hey everyone!We have an application that uses iframe to load another site that´s apm protected, but the default x-frame-options deny blocks this. Anyone have any ideas on how to bypass this (withouth globally disabling this feature)?I´ve tried several irules at different events to remove the header, but without any progress..&nbsp;

juergen_mang · Accepted Answer

This should do the trick.
when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove "x-frame-options"
}
&nbsp;

kimhenriksen · Answer

Will give it a try, just have to wait for the user to test again 🙂

kimhenriksen · Answer

That´s a negative on that, your irule was almost identical to mine .. except for the first event. But what i added that, the apm policy doesnt fire at all... When i access the vip there is nothing.

kimhenriksen · Answer

Yes, we had some other issues.. and they just appeared at the same time. The first part was what i was missing, so this will not be forgotten in the future.&nbsp;when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}&nbsp;

Forum Discussion

Removing x-frame-options header from response when using APM

5 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Set x-frames-options header values depending on URI

Introduction of Incident Response

Remove X- Headers From Web Server Response

custom response page for api