APM iRule manipulating CSP headers
Hello all!
We are trying to improve the security of our APM application, especially the HTTP headers - CSP, HSTS, X-Type, etc.
Though we implemented an iRule on a normal virtual server and it changed the headers correctly, when trying to add it to an APM virtual server either it doesn't do anything or it breaks. We added it normally to the vs, we tried adding the ACCESS::restrict_irule_events disable statement but it won't do anything, and last we tried adding a virtual server which only hosts the iRule and redirects to the apm virtual server (virtual "vs_name").
While i'm asking for some technical guidance, it would also be useful to know if this is even necesary for an APM portal. It hosts some applications and network access.
Here's the iRule:
when RULE_INIT {
set static::fqdn_pin1 "X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="
set static::fqdn_pin2 "MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
set static::max_age 15552000
}
when HTTP_REQUEST {
log local0. "log request"
HTTP::respond 301 Location "http://[HTTP::host][HTTP::uri]"
if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert "X-XSS-Protection" "1; mode=block" }
if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
}
when HTTP_RESPONSE {
log local0. "Log response"
HSTS
HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
HPKP
HTTP::header insert Public-Key-Pins "pin-sha256=\"$static::fqdn_pin1\" max-age=$static::max_age; includeSubDomains"
X-XSS-Protection
HTTP::header insert X-XSS-Protection "1; mode=block"
X-Frame-Options
HTTP::header insert X-Frame-Options "DENY"
X-Content-Type-Options
HTTP::header insert X-Content-Type-Options "nosniff"
CSP
HTTP::header insert Content-Security-Policy "default-src 'self'"
CSP for IE
HTTP::header insert X-Content-Security-Policy "default-src 'self'"
}
Thank you for your time!