Q&A: How can I set the X-Frame-Options header in order to protect from "Clickjacking" attacks?

 Question

 Can we set "X-Frame-Options header" in WAF to protect against the "Clickjacking attack?

Environment

• Silverline WAF
• Proxy
• v13 , v14

Answer

In versions prior to BIG-IP ASM 16.0.0, the system does not include HTTP security headers for response or blocking pages generated by the security policy

Beginning in BIG-IP ASM 16.0.0, the asm.http_security_headers db variable is enabled by default. The system includes the HTTP security headers for responses generated by the security policy, as shown in the following table.

If you believe that your application is vulnerable or susceptible to this type of attack, we can add X-Frame-Options header via iRule

In order to implement this iRule, create a ticket with SOC and provide desired name for your iRule.

when HTTP_RESPONSE priority 360 {
    HTTP::header remove "X-Content-Type-Options"
    HTTP::header insert "X-Content-Type-Options" "nosniff"
}

Related Content

• https://support.f5.com/csp/article/K25232031
• Q&A: Can Silverline Mitigate 150124 Clickjacking - Framable Page (Qualys WAS Result)?
• Q&A: Can Silverline Insert HSTS Header (HTTP Strict Transport Security)?