Forum Discussion

Cirrus

Sep 03, 2020

A question about HSTS Mode

Hello All,

We have 2 webservers (prod and test) behind the F5 ltm, we wanted to enable HSTS for both the webservers.

On both PROD and Test, i didn't check the "Mode" checkbox. Max-age and subdomain options are enabled. But HSTS is working on Test but not on PROD.

After enabling the "Mode" checkbox on PROD, it is started working. The Test server which has still "Mode" unchecked is also working as per Qualys SSL Labs but it is showing a different Max-age timer and preload options which are not configured on LB.

There are no iRules configured. F5 version is 12.1.4, I'm using a Custom HTTP profile for HSTS.

As per the F5 document, "Mode" checkbox is mandatory and rest of the fields are optional.

Can someone please shed some light on this? How Test webserver passed the HSTS test? I tested both the webservers with CURL, and it is the same.

No RepliesBe the first to reply

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

A question about HSTS Mode

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

HSTS is not working.

to HSTS or not to HSTS

TMOS HSTS

Enforcing HSTS (HTTP Strict Transport Security) in LineRate

Health monitor question

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS