Configuring F5 and Apache for security headers

June 27, 2017 - Reading time: 3 minutes

We started to implement security headers in all our public web services. This article has some examples of how I implemented them in F5 and/or Apache.

For HTTP Strict Transport Security (HSTS) I used an iRule. (current max-age is 181 days)

when RULE_INIT {
set static::max_age 15638400
}
when HTTP_RESPONSE {
  #HSTS
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
}

If you don't have an F5 you can implement the HSTS header in apache as well like this:

Header append Strict-Transport-Security "max-age=63072000; includeSubdomains;"

The other Security Headers are in Apache if possible.

RequestHeader set X-Forwarded-Proto "https"

Header append X-Frame-Options SAMEORIGIN
Header append X-XSS-Protection "1; mode=block"
Header append X-Content-Type-Options nosniff
Header append Content-Security-Policy "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append x-webkit-csp "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append X-Content-Security-Policy "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append Referrer-Policy "strict-origin-when-cross-origin"

Or for Java based applications we also use an iRule:

when HTTP_REQUEST { 
HTTP::header insert X-Forwarded-Proto "https"
}
when HTTP_RESPONSE { 
#X-XSS-Protection 
HTTP::header insert X-XSS-Protection "1; mode=block" 
#X-Frame-Options 
HTTP::header insert X-Frame-Options "SAMEORIGIN" 
#X-Content-Type-Options 
HTTP::header insert X-Content-Type-Options "nosniff" 
#CSP 
HTTP::header insert Content-Security-Policy "frame-ancestors 'self'" 
#CSP for IE 
HTTP::header insert X-Content-Security-Policy "frame-ancestors 'self'" 
#CSP 
HTTP::header insert x-webkit-csp "frame-ancestors 'self'" 
#referrere policy 
HTTP::header insert Referrer-Policy "strict-origin-when-cross-origin"
}

Some info about Security Headers:

And to verify your Security Headers you can use this online tool

And the blog of the guy who made the test. He seems well informed and his blog has a lot of useful information and examples

And of course to verify that this site got an A rating!

Search

About

Koen Diels

I'm a freelance system and network engineer from Mechelen (BE) and I'm available for ad-hoc and long term projects.

>>my resume<<

Configuring F5 and Apache for security headers

June 27, 2017 - Reading time: 3 minutes

Search

About

Koen Diels

Navigation