Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

security headers

I need some help trying to figure out why my standard security headers are not being applied to a specific VIP. I am inserting X-FRAME-OPTIONS, X-XSS-PROTECTION,CONTENT-SECURITY-POLICY to all my Virtual Servers using an irule. for all VS they work if you scan the DNS NAME (using nmap or securityheaders.io) but if I scan using the IP all but 1 VS passes (just 1 VIP shows no headers, it does show HSTS which I am applying through a policy though. Any thoughts as to why 1 VIP would behave differently than the others?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It is difficult to say without understanding your configuration - most likely it is configuration mistake somewhere on that VIP. Is it possible that you have 2 VIPs - one listening on port 80 and another on port 443 and you applied iRule just to one of them?

0
Comments on this Answer
Comment made 04-Feb-2018 by pedinopa@gmail.com 369

its actually stranger than that. Yes I have applied the same irule to both VIPS (80 and 443), i have also tried setting the headers with a policy and linking it to both VIPS. stilll the headers don't show on port 80. We gave up on having the F5 attach the headers and configured the apache server todo it. so the F5 VIPS are a pure pass through. That did not help with port 80, port 443 was fine. So it seems to be a networking issue and now its a little beyond me so I am looking for other areas to look at.

we are thinking its a false positive because of the redirect to port 443 and the scanners are getting confused.

0
Comment made 04-Feb-2018 by Only1masterblaster 608

Is there any possibility that http (80) is being redirected to 443?

0
Comment made 05-Feb-2018 by pedinopa@gmail.com 369

I think we figured out that it is the default page on the ASM which has no headers. How do you set default headers in ASM?

0
Comment made 05-Feb-2018 by Shann_P 355

You can customize the response page of the Policy and just add those headers to that.

Application Security -> Policy -> Response Page

Then you can change from Default Response to Customized Response.

0
Comment made 05-Feb-2018 by pedinopa@gmail.com 369

yes I found that and it is working for all Virtual Servers. I am now looking into response logging.

0
Comment made 05-Feb-2018 by pedinopa@gmail.com 369

thank you for all your help the JSP code was getting in the way.

0