Security Headers Insertion

Problem this snippet solves:

Centralize the security header management for one or more domains on the recommendation of

Be warned!! You can really do damage to your availability if you do not understand these headers and their implications to your client browsers, make sure your header values are tested and vetted before applying to any production traffic.

Background on the headers:

How to use this snippet:

apply this iRule to your virtual servers, once customized for your environment.

Code :

when RULE_INIT {
  set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
  set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
  set static::max_age 15552000
  HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
  HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains"
  HTTP::header insert X-XSS-Protection "1; mode=block"
  HTTP::header insert X-Frame-Options "DENY"
  HTTP::header insert X-Content-Type-Options "nosniff"
  HTTP::header insert Content-Security-Policy "default-src"
  #CSP for IE
  HTTP::header insert X-Content-Security-Policy "default-src"

Tested this on version:

Published Mar 14, 2016
Version 1.0

Was this article helpful?