Kevin_Lange
Nimbostratus
NimbostratusConditional policy for security header based on URI path
I'm struggling to get a conditional policy based on URI to work properly. I'm trying to set X-Frame-Options based on paths, such that the header is more relaxed on specific paths, but more strict on anything else. The below code results in ALLOWALL for pretty much everything. I'm fairly certain the application is sending ALLOWALL for everything. I'm just trying to enforce defaults at the LTM, permiting conditional.
"X-Frame-Options header SAMEORIGIN" {
actions {
0 {
http-header
response
replace
name X-Frame-Options
value SAMEORIGIN
}
}
conditions {
0 {
http-uri
path
not
starts-with
values { /path-a/ /path-b/subpath/ /path-c/
}
1 {
http-header
response
name X-Frame-Options
not
contains
values { SAMEORIGIN }
}
}
ordinal 3
}
"X-Frame-Options header ALLOWALL" {
actions {
0 {
http-header
response
replace
name X-Frame-Options
value ALLOWALL
}
}
conditions {
0 {
http-uri
path
starts-with
values { /path-a/ /path-b/subpath/ /path-c/ }
}
1 {
http-header
response
name X-Frame-Options
not
contains
values { ALLOWALL }
}
}
ordinal 2
