APM irule to add security headers on http_response
I have been trying to add an irule to shore up security on a virtual server. Qualys is reporting vulnerabilities. In this instance, the user hits a F5 login page for manual authentication (user/password). My irules are only being hit on request, not response. Rules are currently:
when HTTP_RESPONSE {
HTTP::header replace Cache-Control "no-cache,no-store,must-revalidate"
HTTP::header insert Pragma "no-cache"
}
and
when HTTP_RESPONSE { if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" } if { !([ HTTP::header exists "X-XSS-Protection" ])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" } if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" } if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains" }}
Any help would be appreciated.