Forum Discussion

Nimbostratus

May 27, 2009

Blocking insecure log-in page

We terminate https on the F5, and pass traffic to the web apps on port 80. Consequently, I have an interesting problem. I have a log-in page (/store/user/login.jhtml) that should only be accessed via ...

app sec

BIG-IP Access Policy Manager (APM)

security

hoolio

Cirrostratus

Dec 28, 2010

Hi Tacobell,

You can insert a custom HTTP header on the HTTPS VS with a custom HTTP profile that has the header to remove set to X-HTTPS and the header to insert set to 'X-HTTPS: 1'. On the HTTP VS, you could do the same with the header to insert's value set to 0.


 HTTP profile for the HTTP virtual server
profile http http_profile_https_0 {
   defaults from http
   header insert "X-HTTPS: 0"
   header erase "X-HTTPS"
}
 HTTP profile for the HTTPS virtual server
profile http http_profile_https_1 {
   defaults from http
   header insert "X-HTTPS: 1"
   header erase "X-HTTPS"
}

Aaron

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Blocking insecure log-in page

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 object groups in AFM

Round-robin method not load balanced

F5 ASM with fortisandbox

Disabling signature for a URL

Expired client-certificate

Related Content

AI Security : Prompt Injection and Insecure Output Handling.

Mitigating OWASP Web Application Insecure Design using F5 BIG-IP Advanced WAF

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Lightboard Lessons: OWASP Top 10 - Insecure Deserialization

How to Setup Shape Log Analysis in Fastly

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS