Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Aug 10, 2022

Inserting X-frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security

Hi,

We have multiple web applications running on a single Virtual server with host/domain based pool routing.

For eg:

red.lab.ae

green.lab.ae

irule:

when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
red.lab.ae {
pool Red_Pool1 }

green.lab.ae {
pool Green_Pool1 }

}
}

In order  to mitigate the Qualys security scan threat QID 11827,  Please let me know if there is any option to insert the missing security HTTP response headers only for one host name (for eg - to green.lab.ae only) in rule

 

  • Hi Preet_pk,

    when HTTP_REQUEST {
    	set status 0
    	switch [string tolower [HTTP::host]] {
    		"red.lab.ae" {
    			pool Red_Pool1
    		}
    		"green.lab.ae" {
    			set status 1
    			pool Green_Pool1
    		}
    	}
    }
    
    when HTTP_RESPONSE {
    	if { $status } {
    		if { !([HTTP::header exists "Strict-Transport-Security"]) } {
    			HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubDomains;"
    		}
    		if { !([HTTP::header exists "X-Content-Type-Options"]) } {
    			HTTP::header insert "X-Content-Type-Options" "nosniff"
    		}
    		if { !([HTTP::header exists "X-Frame-Options"]) } {
    			HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
    		}
    		if { !([HTTP::header exists "X-XSS-Protection"]) } {
    			HTTP::header insert "X-XSS-Protection" "1; mode=block"
    		}
    	}
    }
    

    You may need to change the header values.