Clickjacking protection with X-Frame options

Question

We have a situation where sites are missing X-Frame Options
How can we return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itselfSecure Cookies&nbsp;
I found the following single line iRule implementation, can you please verify&nbsp;
when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" “(DENY || SAMEORIGIN)” }&nbsp;

kevin_stewart · Answer

I'd use a replace:
when HTTP_RESPONSE {
   HTTP::header replace X-Frame-Options "SAMEORIGIN"
}

deepak__m_k_165 · Answer

Hi Kevin ,&nbsp;
How to test once we have implemented the iRule ?&nbsp;
thanks and regards
Deepak MK&nbsp;

jaz_170005 · Answer

Hello Everyone,&nbsp;
That iRule works, however it means that we have to add it to every VS we have (we have tons of those). is there a better solution? 
does F5 has a HF for it? &nbsp;

Forum Discussion

Clickjacking protection with X-Frame options

3 Replies

Recent Discussions

Converting config to DO

iRule resulting in too many redirects

Wildcard SSL Certificate Deployment on F5 LTM

URL

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

Related Content

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Removing x-frame-options header from response when using APM

Beyond REST: Protecting GraphQL

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

L7 DoS Protection with NGINX App Protect DoS