iRule to mitigate CSRF

Question

Some of our application developers are asking about an iRule that could possibly insert a nonce onto a page during a session that would help prevent a cross-site request forgery from happening. Unfortunately the native software doesn't do this and has said it will be a couple of months before they can get it fixed. &nbsp;
&nbsp;I've written a few iRules but was hoping to knock this out quickly if someone could point me in the right direction. Thanks.&nbsp;

hooleylist · Answer

Hi Chris, 
&nbsp;  
&nbsp; There is built in functionality to do this in the Application Security Manager (ASM).  I guess it's technically possible to do in an iRule--but it would be complicated to try to parse each parameter from the response HTML and inject the nonce. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

iRule to mitigate CSRF

1 Reply

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

CitrixBleed Mitigation CVE-2023-4966

iRule to assist with CVE-2022-22965 mitigation

Re: Mitigating OWASP API Security risks using BIG-IP

Mitigation of OWASP API Security Risk: SSRF using F5 Distributed Cloud Platform

Mitigate Unplanned Scale Issues with an iRule Waiting Room