Configuring X-Frame-Options Allow-From

Question

Hi All,
I have been asked by the business to configure X-Frame-Options Allow-From in the response header.

Quick search gave me the below iRule,

when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “SAMEORIGIN)”}

However, the value of the XFO is to be Allow-From.

Can anyone please look into this for an appropriate iRule.

Thanks in advance,
MSK

hannes_rapp_162 · Answer

It’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).
For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards
If you still want to go for it:
when HTTP_RESPONSE {

if { not([HTTP::header exists "X-Frame-Options"])}{
    HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
  } else {
    HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
  }

}

Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)
Regards,

hannes_rapp · Answer

It’s certainly doable but it’s a bit limiting solution for the customer. If you specify that Allow-From option, your customers will be restricted to Internet Explorer or Mozilla Firefox (Chrome, Chromium, Safari do not support Allow-From).
For public-facing applications, there are two options - use SAMEORIGIN as the value for X-Frame-Options, or do not use X-Frame-Options at all. It's a pity that developers of major web browsers do not cooperate to align standards
If you still want to go for it:
when HTTP_RESPONSE {

if { not([HTTP::header exists "X-Frame-Options"])}{
    HTTP::header insert X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
  } else {
    HTTP::header replace X-Frame-Options {ALLOW-FROM https://devcentral.f5.com}
  }

}

Have not tested for errors (please verify in QA, and check /var/log/ltm for TCL errors)
Regards,

msk_222682 · Answer

Hi Hannes,

Thanks for the quick response!

I agreed with you that it's the developers job to include security elements in their design phase itself rather than later.

With regards to the value, penetration results were successfully tested from IE11 &amp; Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP.

Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From.

Thanks in advance,
MSK

msk_222682 · Answer

Hi Hannes,

Thanks for the quick response!

I agreed with you that it's the developers job to include security elements in their design phase itself rather than later.

With regards to the value, penetration results were successfully tested from IE11 &amp; Firefox46 for this application with the value set to Allow-From. So, they want to deploy this solution on BIG-IP.

Is it possible for you to share the iRule to set the X-Frame-Options header value to Allow-From.

Thanks in advance,
MSK

hannes_rapp_162 · Answer

Amended my initial answer with the iRule

Forum Discussion

Configuring X-Frame-Options Allow-From

6 Replies

Recent Discussions

Help with URL Masking

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Removing x-frame-options header from response when using APM

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Set x-frames-options header values depending on URI

allow one url from blocks geolocation

HTTPD IP allow ACL from Configuration Utility