Clickjacking protection using X-FRAME-OPTIONS: ALLOW-FROM URI

Question

Hello Folks,&nbsp;
Can anyone help by sharing a snippet of iRule by inserting XFRAME-OPTIONS:ALLOW-FROM (single / multiple URI)?&nbsp;
The requirement is to allow certain Frames from different applications hosted within the same environment. Since X-FRAME-OPIONS:Allow-from supports only 1 URI, can we create any iRule to embed multiple URI for "Allow-from" header?&nbsp;
Perhaps using String based Data group, and call that Data group within an iRule, and verify if the URI is part of the Data group? &nbsp;
Thank you mates!
Cheers!&nbsp;

zeeshan_ahmad_1 · Answer

Hi Darshan,
Note that in X-Frame-Options header Allow-From token does not support wildcards or listing of multiple origins and it is not supported by couple of browsers as well, you can use the below irule where you can mention the URL from where you want to make it accessible
 when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "ALLOW-FROM http://www.mysite.com"
}

Forum Discussion

Clickjacking protection using X-FRAME-OPTIONS: ALLOW-FROM URI

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Removing x-frame-options header from response when using APM

Set x-frames-options header values depending on URI

Beyond REST: Protecting GraphQL

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection