Forum Discussion

Balasubramaniy2's avatar
Balasubramaniy2
Icon for Nimbostratus rankNimbostratus
Sep 02, 2018

Header insert and Strict-Transport-Security

http-response add-header X-App-Server %b/%s

 

acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure

 

rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload

 

rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if !secured_cookie

 

How migrate above HA proxy config to F5? also how verify the above setting are working correctly?

 

1 Reply

  • If I may elaborate, HSTS is included natively in 13.0, and has been back-ported to the latest subordinate releases of 11.x and 12.x. You'll know if you have a supported version if the HTTP Strict Transport Security section is displayed in the HTTP profile. The settings are:

     

    • Mode - check the box to enable HSTS header insertion.
    • Maximum Age - a directive that tells the browser how long to save this information. The default 31536000 is one year.
    • Include Subdomains - a directive that tells the browser to include subdomains of the present URL. So if the present URL is "test.com", then subdomains might include ";, "www1.test.com", "www2.test.com", etc.
    • Preload - this is a separate directive targeted at the browser. You have to enable this option, and also report this URL to the browser vendor's HSTS preload page. When you report the URL, someone will eventually check it, and if the preload option is present, the vendor will hard-code the URL into future browser updates. See https://hstspreload.org for more details on preload.

    There are a few caveats you should be aware of when using HSTS:

     

    • It is vitally important that you do not have mixed (HTTP and HTTPS) content. Once a browser receives the HSTS header for your URL, it will never again attempt to request HTTP:// URLs (or until max age expires).
    • You should only present an HSTS header within an HTTPS response (vs. HTTP). It would be too easy for someone to manipulate and/or erase this header if presented in an unencrypted response.