Forum Discussion

Domai_23823's avatar
Domai_23823
Icon for Nimbostratus rankNimbostratus
Oct 11, 2018

Clickjacking iRule assist

I have the below requirement I need to insert X-FRAME-OPTIONS "DENY" only if the requests don't originate from my domain *.123.com but I need to insert it from any other domain. How can i accomplish this using iRules? X-FRAME-OPTIONS "ALLOW FROM" does not allow multiple domains or sub domains. That is why I am seeking options.

I am sure the below will not work...right?

When HTTP_RESPONSE {
HTTP::header insert "X-FRAME-OPTIONS" "ALLOW-FROM http://*.123.com"
}

1 Reply

  • Hi,

    can you try this (I checked rfc but it's not clear...):

    if { not([HTTP::header exists "X-Frame-Options"])}{
        HTTP::header insert X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
    } else {
        HTTP::header replace X-Frame-Options {ALLOW-FROM https://domain1.f5.com/ https://domain2.f5.com/ https://domain3.f5.com/ }
    }
    

    Just be carefull, Chrome not support Allow-From in X-Frame-Options header since a specific version, it ignores this header and blocks you in any case.

    Additional point take a looke to "Content-Security-Policy" if it can help you.

    keep me in touch,

    regards,