Alan_Johnson_30
Nov 29, 2017Nimbostratus
HTTP Security Headers - LTM Policies
Hi folks,
I'm trying to create some LTM Policies for the following:
•X-XSS-Protection •X-Content-Type-Options •Content-Security-Policy •Strict-Transport-Security
I already have the following working iRules, but would like to use Policies instead to limit impact on CPU:
X-XSS-Protection
when HTTP_RESPONSE {
if { !([ HTTP::header exists "X-XSS-Protection" ])} {
HTTP::header insert "X-XSS-Protection" "1; mode=block"
}
}
X-Content-Type-Options
when HTTP_RESPONSE {
if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}
Content-Security-Policy
when HTTP_RESPONSE {
if { !([ HTTP::header exists "content-security-policy " ])} { HTTP::header insert "content-security-policy" "default-src 'self';" } }
Strict-Transport-Security
when HTTP_RESPONSE {
if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400" }
}
...and here's what I've come up with so far for LTM Policy versions. Full disclosure, I'm a total novice with policies. Am I even close?
ltm policy X-XSS-Protection {
last-modified 2017-11-28:13:37:23
requires { http }
rules {
X-XSS-Protection {
actions {
0 {
http-header
response
insert
name X-XSS-Protection
value "1; mode=block"
}
}
conditions {
0 {
http-header
response
name X-XSS-Protection
contains
values { X-XSS-Protection }
}
}
}
}
status published
strategy first-match
}
ltm policy X-Content-Type-Options {
last-modified 2017-11-28:13:37:19
requires { http }
rules {
X-Content-Type-Options {
actions {
0 {
http-header
response
insert
name X-Content-Type-Options
value "'nosniff'"
}
}
conditions {
0 {
http-header
response
name X-Content-Type-Options
contains
values { X-Content-Type-Options }
}
}
}
}
status published
strategy first-match
}
ltm policy content-security-policy {
last-modified 2017-11-28:13:37:25
requires { http }
rules {
content-security-policy {
actions {
0 {
http-header
response
insert
name content-security-policy
value "default-src 'self';"
}
}
conditions {
0 {
http-header
response
name content-security-policy
contains
values { content-security-policy }
}
}
}
}
status published
strategy first-match
}
ltm policy Strict-Transport-Security {
last-modified 2017-11-28:13:37:15
requires { http }
rules {
Strict-Transport-Security {
actions {
0 {
http-header
response
insert
name Strict-Transport-Security
value max-age=16070400
}
}
conditions {
0 {
http-header
response
name Strict-Transport-Security
contains
values { Strict-Transport-Security }
}
}
}
}
status published
strategy first-match
}