Bug ID 512668: ASM REST: Unable to Configure Clickjacking Protection via REST

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3 HF2

Opened: Mar 16, 2015
Severity: 3-Major


The REST API for URLs was missing a field for Clickjacking Protection configuration. When trying to configure that 'Rendering in Frames' should only be allowed from a single URL, there is no field to specify that URL.


A REST API client is unable to correctly configure protection that is meant to be allowed only from a specified URL.


REST API is being used to configure Clickjacking Protection for URLs.


Configure via the GUI instead of REST.

Fix Information

This release adds the missing field for REST to specify the 'only-from' clickjacking URL: 'allowRenderingInFramesOnlyFrom'.

Behavior Change