Kevin_Lange
Aug 26, 2020Nimbostratus
Conditional policy for security header based on URI path
I'm struggling to get a conditional policy based on URI to work properly. I'm trying to set X-Frame-Options based on paths, such that the header is more relaxed on specific paths, but more strict on anything else. The below code results in ALLOWALL for pretty much everything. I'm fairly certain the application is sending ALLOWALL for everything. I'm just trying to enforce defaults at the LTM, permiting conditional.
"X-Frame-Options header SAMEORIGIN" {
actions {
0 {
http-header
response
replace
name X-Frame-Options
value SAMEORIGIN
}
}
conditions {
0 {
http-uri
path
not
starts-with
values { /path-a/ /path-b/subpath/ /path-c/
}
1 {
http-header
response
name X-Frame-Options
not
contains
values { SAMEORIGIN }
}
}
ordinal 3
}
"X-Frame-Options header ALLOWALL" {
actions {
0 {
http-header
response
replace
name X-Frame-Options
value ALLOWALL
}
}
conditions {
0 {
http-uri
path
starts-with
values { /path-a/ /path-b/subpath/ /path-c/ }
}
1 {
http-header
response
name X-Frame-Options
not
contains
values { ALLOWALL }
}
}
ordinal 2