Forum Discussion

stukat_283500's avatar
Apr 10, 2018

APM irule to add security headers on http_response

I have been trying to add an irule to shore up security on a virtual server. Qualys is reporting vulnerabilities. In this instance, the user hits a F5 login page for manual authentication (user/password). My irules are only being hit on request, not response. Rules are currently:

 

when HTTP_RESPONSE {

 

HTTP::header replace Cache-Control "no-cache,no-store,must-revalidate"

 

HTTP::header insert Pragma "no-cache"

 

}

 

and

 

when HTTP_RESPONSE { if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([ HTTP::header exists "X-XSS-Protection" ])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" } if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" } if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains" }}

 

Any help would be appreciated.