Add Security Headers
Information
Summary: |
Add Security headers to the LoadMaster (LM) and Virtual Service (VS).
|
Environment: |
Product: LoadMaster Version:7.2.57 Platform: Application: SSL accelerated services |
Question/Problem Description: |
Add security headers to HTTP/HTTPS traffic using content rules
|
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: |
There can sometimes be security requirements to add additional headers to client responses in order to make it more secure. The use of these headers increase the security of the request and help prevent things like:
|
Resolution: |
Here are the Security headers to Add.
In order to add the bellow headers to the LoadMaster navigate to: Rules & Checking --> Content Rules --> Create New
Content rules to be created:
Rule 1: Rule Type: Add Header Header Field to be Added: X-Frame-Options Value of Header Field to be Added: SAMEORIGIN Perform If Flag Set: [Unset] Perform If Flag is NOT Set: [Unset]
Rule 2: Rule Type: Add Header Header Field to be Added: X-Content-Type-Options Value of Header Field to be Added: nosniff Perform If Flag Set: [Unset] Perform If Flag is NOT Set: [Unset]
Rule 3: Rule Type: Add Header Header Field to be Added: X-XSS-Protection Value of Header Field to be Added: 1; mode=block Perform If Flag Set: [Unset] Perform If Flag is NOT Set: [Unset]
Rule 4: Rule Type: Add Header Header Field to be Added: Content-Security-Policy Value of Header Field to be Added: script-src 'self'; object-src 'self' Perform If Flag Set: [Unset] Perform If Flag is NOT Set: [Unset]
Rule 5: Rule Type: Add Header Header Field to be Added: Referrer-Policy Value of Header Field to be Added: no-referrer-when-downgrade Perform If Flag Set: [Unset] Perform If Flag is NOT Set: [Unset]
In rule 5 there are multiple options. please decide which to use prior to creating the rule or create multiple rules with different nicknames Values are:
Once these rules have been created the rules are available to be apply to any HTTP/HTTPS virtual service that utilizes SSL Acceleration.
Navigate to the desired virtual service and Modify it: Advanced Properties > HTTP Header Modifications > Response Rules > Add Rule > Add the newly created rules. |
Workaround: | |
Notes: |