Forum Discussion

Zach_C_355943's avatar
Zach_C_355943
Icon for Nimbostratus rankNimbostratus
Mar 16, 2018
Solved

Issues with X-XSS Protection HTTP Header

Hey folks, we recently implemented some HTTP headers onto our F5 irules and recently noticed that one of them (X-XSS-Protection) isn't showing up.

At the moment, we have them in place in our irule as such:

when HTTP_REQUEST {
 if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
 if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
 if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}

When we run a curl URL -I against the site, it returns the X-Content-Type-Options and X-Frame-Options headers, but not the X-XSS-Protection header. Is there something we're doing wrong?

Thanks!

BIG-IP
devops
http header
irule
iRules
security
  • Zach_C_355943's avatar
    Zach_C_355943
    Apr 25, 2018

    Following up! Turns out the answer is we needed to have these headers under "HTTP_RESPONSE" (not REQUEST). What it looks like in a working state in our irules:

    when HTTP_RESPONSE {
  HTML Headers for PCI failures
 if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
 if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
 if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}

2 Replies

Sort By
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Mar 16, 2018

    At first glance I can't see anything wrong with your iRule. Could you try the following? I've added logging to the X-XSS-Protection if statement to see if it already exists and what it's value is.

    Have you also tried this in a web browser developer window and received the same results?

    when HTTP_REQUEST {
 if { !([HTTP::header exists "X-Frame-Options"])} { 
   HTTP::header insert "X-Frame-Options" "SAMEORIGIN" 
 }
 if { !([HTTP::header exists "X-XSS-Protection"])} { 
   HTTP::header insert "X-XSS-Protection" "1; mode=block"
 } else {
   log local0. "Header X-XSS-Protection exists, Value:[HTTP::header value X-XSS-Protection]"
 }
 if { !([HTTP::header exists "X-Content-Type-Options"])} { 
   HTTP::header insert "X-Content-Type-Options" "'nosniff'" 
 }
}
  • Zach_C_355943's avatar
    Zach_C_355943
    Icon for Nimbostratus rankNimbostratus
    Apr 25, 2018

    Following up! Turns out the answer is we needed to have these headers under "HTTP_RESPONSE" (not REQUEST). What it looks like in a working state in our irules:

    when HTTP_RESPONSE {
  HTML Headers for PCI failures
 if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
 if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
 if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}