Follow

Q&A: How can I set the X-Frame-Options header in order to protect from "Clickjacking" attacks?

 Question

 Can we set "X-Frame-Options header" in WAF to protect against the "Clickjacking attack?

 

Environment

  • Silverline WAF
  • Proxy
  • v13 , v14

 

Answer

In versions prior to BIG-IP ASM 16.0.0, the system does not include HTTP security headers for response or blocking pages generated by the security policy

 

Beginning in BIG-IP ASM 16.0.0, the asm.http_security_headers db variable is enabled by default. The system includes the HTTP security headers for responses generated by the security policy, as shown in the following table.

 

If you believe that your application is vulnerable or susceptible to this type of attack, we can add X-Frame-Options header via iRule

In order to implement this iRule, create a ticket with SOC and provide desired name for your iRule.

when HTTP_RESPONSE priority 360 {
    HTTP::header remove "X-Content-Type-Options"
    HTTP::header insert "X-Content-Type-Options" "nosniff"
}

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request