Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

Problem this snippet solves:

HTTP provides many response headers that your application can use to increase the security of your application.

Once set, these HTTP response headers can restrict modern browsers from running into easily preventable common vulnerabilities.

Using an iRule, you can add a couple of HTTP Response Headers to easily improve your web application security.

To learn more about these and other security headers, refer to the OWASP Secure Headers Project page.

How to use this snippet:

  1. Create the iRule for Security Headers.
  2. Assign the iRule to a virtual server and test!

Code :

    ### Enforce HTTP Strict Transport Security (HSTS)
    if { !([HTTP::header exists "Strict-Transport-Security"]) } {
      HTTP::header insert "Strict-Transport-Security" "max-age=31536035"
    ### Enables the Cross-site scripting (XSS) filter
    if { !([HTTP::header exists "X-XSS-Protection"]) } {
        HTTP::header insert "X-XSS-Protection" "1;mode=block"
    ### Improve the protection against Clickjacking
    if {!([HTTP::header exists "X-Frame-Options"]) } {
        HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
    ### Prevent the browser from interpreting files as something else than declared by the content type
    if { !([HTTP::header exists "X-Content-Type-Options"]) } {
        HTTP::header insert "X-Content-Type-Options" "nosniff"

Tested this on version:

Published Mar 23, 2020
Version 1.0

Was this article helpful?

1 Comment

  • Sajid's avatar
    Icon for Cirrostratus rankCirrostratus

    Hi Pedro,


    Thanks for sharing a nice article.


    Possible to have some knowledge or code sharing for