Bug ID 512668: ASM REST: Unable to Configure Clickjacking Protection via REST

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3 HF2

Opened: Mar 16, 2015

Severity: 3-Major


The REST API for URLs was missing a field for Clickjacking Protection configuration. When trying to configure that 'Rendering in Frames' should only be allowed from a single URL, there is no field to specify that URL.


A REST API client is unable to correctly configure protection that is meant to be allowed only from a specified URL.


REST API is being used to configure Clickjacking Protection for URLs.


Configure via the GUI instead of REST.

Fix Information

This release adds the missing field for REST to specify the 'only-from' clickjacking URL: 'allowRenderingInFramesOnlyFrom'.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips