Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Way to replace HTTP header being applied by APM portals

All full webtop portals I create have this HTTP header, which I need to override. Using iRules for this is failing.

Header in question:

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' ws: wss: jar: data:;

I need to modify it to include "connect-src *"

Here's my iRule:

when HTTP_RESPONSE {
set cspstring "default-src 'self' 'unsafe-inline' 'unsafe-eval' ws: wss: jar: data:; connect-src *"
HTTP::header replace Content-Security-Policy $cspstring

}`

The header is never replaced on the VS's I apply this to. I can manipulate any other header, but this one seems to be permanent for some reason.

Any help much appreciated! Michael

0
Rate this Question
Comments on this Question
Comment made 17-Aug-2015 by mapennell 76
I'm pretty convinced there's something preventing me from modifying the CSP header out of the F5. I can't find this referenced in any documentation. Definitely could use some help...
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What happens if you try removing the header instead of a replace? What version of TMOS are you running?

when HTTP_RESPONSE_RELEASE {
foreach header {Content-Security-Policy} {
log local0. "Removing $header: [HTTP::header value $header]"
HTTP::header remove $header
}
}

0
Comments on this Answer
Comment made 1 month ago by Abed AL-R 216

Hi Jon Bartlett

I came across this issue today , LTM/APM 12.1.3

I used this iRule you mentioned and it solved the problem in chrome

In IE edge or 10 the problem still happening

The thing with IE is that it does not showing the error message , it is just freezing

I tried even replacing the irule with this one :

when HTTP_RESPONSE_RELEASE {
foreach header {X-Content-Security-Policy} 
{ log local0. "Removing $header: [HTTP::header value $header]"
HTTP::header remove $header
}
}

Didn't help..

If I try to open the web-application internally , without APM , it is working fine with all browsers

What could be done here?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The CSP header value is actually coming from APM, so there's no local response event that can catch that. The best option would be to put a VIP targeting solution in front of your APM VIP. The external VIP would be able to see and manipulate the internal APM's responses. You'd put your client SSL handling on the external VIP and the internal APM VIP would listen on HTTP. Here's what that external iRule might look like:

when CLIENT_ACCEPTED {
    virtual internal-vip
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        HTTP::header replace Content-Security-Policy [string map {";" " connect-src *;"} [HTTP::header Content-Security-Policy]]
    }
}
0
Comments on this Answer
Comment made 16-Oct-2016 by Thrillseeker 291

Hi,

Still no other solution arround to replace CSP headers when using APM Portal feature?

Thanks in advance Thrillseeker

0
Comment made 17-Feb-2017 by THi 1154

I could remove the APM inserted CSP header using HTTP_RESPONSE_RELEASE event. Assume you might beable to replace content, too..

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER