Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Issues with X-XSS Protection HTTP Header

Hey folks, we recently implemented some HTTP headers onto our F5 irules and recently noticed that one of them (X-XSS-Protection) isn't showing up.

At the moment, we have them in place in our irule as such:

when HTTP_REQUEST {
 if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
 if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
 if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}

When we run a curl URL -I against the site, it returns the X-Content-Type-Options and X-Frame-Options headers, but not the X-XSS-Protection header. Is there something we're doing wrong?

Thanks!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Following up! Turns out the answer is we needed to have these headers under "HTTP_RESPONSE" (not REQUEST). What it looks like in a working state in our irules:

when HTTP_RESPONSE {
 # HTML Headers for PCI failures
 if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
 if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
 if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

At first glance I can't see anything wrong with your iRule. Could you try the following? I've added logging to the X-XSS-Protection if statement to see if it already exists and what it's value is.

Have you also tried this in a web browser developer window and received the same results?

when HTTP_REQUEST {
 if { !([HTTP::header exists "X-Frame-Options"])} { 
   HTTP::header insert "X-Frame-Options" "SAMEORIGIN" 
 }
 if { !([HTTP::header exists "X-XSS-Protection"])} { 
   HTTP::header insert "X-XSS-Protection" "1; mode=block"
 } else {
   log local0. "Header X-XSS-Protection exists, Value:[HTTP::header value X-XSS-Protection]"
 }
 if { !([HTTP::header exists "X-Content-Type-Options"])} { 
   HTTP::header insert "X-Content-Type-Options" "'nosniff'" 
 }
}
0
Comments on this Answer
Comment made 19-Mar-2018 by Zach C 18

Thanks! I added the logging line to the irules (had to wait until Monday). I wasn't using a browser to test this, just a curl via terminal. Would the logging that was enabled show up in /var/log/ltm? I'm not too sure what to be looking for.

Thanks again!

0