Configuring F5 and Apache for security headers

June 27, 2017 - Reading time: 3 minutes

We started to implement security headers in all our public web services. This article has some examples of how I implemented them in F5 and/or Apache.


For HTTP Strict Transport Security (HSTS) I used an iRule. (current max-age is 181 days)

when RULE_INIT {
set static::max_age 15638400
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"

If you don't have an F5 you can implement the HSTS header in apache as well like this:

Header append Strict-Transport-Security "max-age=63072000; includeSubdomains;"

The other Security Headers are in Apache if possible.

RequestHeader set X-Forwarded-Proto "https"

Header append X-Frame-Options SAMEORIGIN
Header append X-XSS-Protection "1; mode=block"
Header append X-Content-Type-Options nosniff
Header append Content-Security-Policy "frame-ancestors 'self' https://* https://* https://*"
Header append x-webkit-csp "frame-ancestors 'self' https://* https://* https://*"
Header append X-Content-Security-Policy "frame-ancestors 'self' https://* https://* https://*"
Header append Referrer-Policy "strict-origin-when-cross-origin"

Or for Java based applications we also use an iRule:

HTTP::header insert X-Forwarded-Proto "https"
HTTP::header insert X-XSS-Protection "1; mode=block"
HTTP::header insert X-Frame-Options "SAMEORIGIN"
HTTP::header insert X-Content-Type-Options "nosniff"
HTTP::header insert Content-Security-Policy "frame-ancestors 'self'"
#CSP for IE
HTTP::header insert X-Content-Security-Policy "frame-ancestors 'self'"
HTTP::header insert x-webkit-csp "frame-ancestors 'self'"
#referrere policy
HTTP::header insert Referrer-Policy "strict-origin-when-cross-origin"

Some info about Security Headers:

And to verify your Security Headers you can use this online tool

And the blog of the guy who made the test. He seems well informed and his blog has a lot of useful information and examples

And of course to verify that this site got an A rating!


Koen Diels

I'm a freelance system and network engineer from Mechelen (BE) and I'm available for ad-hoc and long term projects.

>>my resume<<