-
Notifications
You must be signed in to change notification settings - Fork 3
/
RULE-Security-Headers-Static-1.tmsh
70 lines (54 loc) · 2.46 KB
/
RULE-Security-Headers-Static-1.tmsh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
ltm rule RULE-Security-Headers-1 { # RULE-Security-Headers-1
# NOTE: The HSTS header is NOT shown below, as you should really just use the available LTM HTTP profile options to set this, see HTTP-HSTS-Profile.tmsh config example in this repository
# helper function to avoid code duplication within event
proc security_header { header_name header_replace header_value } {
# use RFC2616 Linear White Space ? set to 1 if so
set use_lws {0}
# if header exists and arg #2 indicates we should replace it remove first to nuke all instances of this header then insert
set insert {0}
if { [HTTP::header exists ${header_name}] and ${header_replace} equals {1} } {
HTTP::header remove ${header_name}
set insert {1}
} elseif { not [HTTP::header exists ${header_name}] } {
set insert {1}
}
if { ${use_lws} equals {1} and ${insert} equals {1} } {
HTTP::header insert lws ${header_name} ${header_value}
unset insert use_lws
return 0
} elseif { ${insert} equals {1} } {
HTTP::header insert ${header_name} ${header_value}
unset insert use_lws
return 0
}
# header was not inserted or replaced
return 1
}
when RULE_INIT {
log local0. "initialised..."
}
when HTTP_RESPONSE {
# set your CSP header value here; variable used to simplify setting the normal header and the X- variant
set csp_value "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; upgrade-insecure-requests"
# Content-Security-Policy
call security_header {Content-Security-Policy} {0} ${csp_value}
# X-Content-Security-Policy
call security_header {X-Content-Security-Policy} {0} ${csp_value}
# X-Frame-Options
call security_header {X-Frame-Options} {0} "DENY"
# X-Content-Type-Options
call security_header {X-Content-Type-Options} {0} "nosniff"
# X-XSS-Protection
call security_header {X-XSS-Protection} {0} "1; mode=block"
# Referrer-Policy
call security_header {Referrer-Policy} {0} "strict-origin"
# Expect-CT
call security_header {Expect-CT} {0} "enforce, max-age=30"
# Expect-Staple
call security_header {Expect-Staple} {0} "max-age=3600; includeSubDomains; preload"
# Feature-Policy
call security_header {Feature-Policy} {0} "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'"
unset csp_value
}
# EOR
}