Overview #
This article explains how to migrate a common F5 BIG-IP iRule used for HTTP security header insertion into RELIANOID using native HTTP/S farm features.
The following iRule injects several HTTP response security headers:
when HTTP_RESPONSE_RELEASE {
if {!([ HTTP::header exists "X-XSS-Protection"])} {
HTTP::header insert "X-XSS-Protection" "1; mode=block"
}
if { !([ HTTP::header exists "Strict-Transport-Security" ])} {
HTTP::header insert "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload"
}
if { !([ HTTP::header exists "content-security-policy" ])} {
HTTP::header insert "content-security-policy" "frame-ancestors 'none'"
}
if {!([HTTP::header exists "X-Content-Type-Options" ])} {
HTTP::header insert "X-Content-Type-Options" nosniff
}
}
In RELIANOID, these security controls can be configured directly through the WebUI without requiring TCL scripting.
Enabling HSTS (Strict-Transport-Security) #
HSTS forces browsers to use HTTPS connections only. Benefits include:
- Preventing SSL stripping attacks
- Enforcing encrypted communications
- Improving browser-side transport security
The following iRule section:
HTTP::header insert "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload"
Can be migrated directly through the WebUI.
Navigate to: Farms > HTTP/S Farm > Services
Then:
- Select the desired HTTP/S service
- Enable the STS switch
This automatically injects the Strict-Transport-Security header into HTTPS responses.
Configuring X-XSS-Protection Security Header #
Enables legacy browser XSS filtering. Although modern browsers rely more heavily on CSP, this header is still useful for compatibility scenarios.
Navigate to: Farms > HTTP/S Farm > Global > Advanced > Headers. Then: Click Create rule. Select:
Type: Response: Add header
Header: X-XSS-Protection
Value: 1; mode=block
Configuring Content-Security-Policy Security Header #
Controls how content can be embedded and loaded. Benefits:
- Prevents clickjacking
- Restricts unauthorized framing
- Improves browser security posture
Navigate to: Farms > HTTP/S Farm > Global > Advanced > Headers. Then: Click Create rule. Select:
Type: Response: Add header
Header: Content-Security-Policy
Value: frame-ancestors 'none'
Configuring X-Content-Type-Options Security Header #
Prevents MIME sniffing by browsers. Benefits:
- Prevents malicious content interpretation
- Reduces certain script injection vectors
Navigate to: Farms > HTTP/S Farm > Global > Advanced > Headers. Then: Click Create rule. Select:
Type: Response: Add header
Header: X-Content-Type-Options
Value: nosniff
Validation #
After applying the configuration, validate response headers using:
curl -I https://<Farm VIP>
Expected output:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-XSS-Protection: 1; mode=block Content-Security-Policy: frame-ancestors 'none' X-Content-Type-Options: nosniff
Troubleshooting #
Headers Not Appearing #
Verify:
- Rules are applied to the correct farm
- HTTPS is enabled for HSTS
- Header rules are configured as Response rules
- Farm configuration has been applied/reloaded
Duplicate Headers #
If the backend application already injects headers, duplicates may appear. Recommendation:
- Decide whether headers should be managed by the Backend application or by RELIANOID farm configuration
- Avoid managing the same headers in both places.
HSTS Not Working #
Ensure:
- Clients connect via HTTPS
- Valid SSL certificates are installed
- Browsers are not testing via HTTP
HSTS headers are ignored on non-TLS connections.
Summary #
F5 iRules used for HTTP security header insertion can be migrated to RELIANOID using native HTTP/S farm features without TCL scripting.
This approach simplifies administration while maintaining equivalent security functionality.
