Forum Discussion
Balasubramaniy2
Nimbostratus
NimbostratusHeader insert and Strict-Transport-Security
http-response add-header X-App-Server %b/%s
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if !secured_cookie
How migrate above HA proxy config to F5? also how verify the above setting are working correctly?
- Kevin_Stewart
Employee
If I may elaborate, HSTS is included natively in 13.0, and has been back-ported to the latest subordinate releases of 11.x and 12.x. You'll know if you have a supported version if the HTTP Strict Transport Security section is displayed in the HTTP profile. The settings are:
- Mode - check the box to enable HSTS header insertion.
- Maximum Age - a directive that tells the browser how long to save this information. The default 31536000 is one year.
- Include Subdomains - a directive that tells the browser to include subdomains of the present URL. So if the present URL is "test.com", then subdomains might include ";, "www1.test.com", "www2.test.com", etc.
- Preload - this is a separate directive targeted at the browser. You have to enable this option, and also report this URL to the browser vendor's HSTS preload page. When you report the URL, someone will eventually check it, and if the preload option is present, the vendor will hard-code the URL into future browser updates. See https://hstspreload.org for more details on preload.
There are a few caveats you should be aware of when using HSTS:
- It is vitally important that you do not have mixed (HTTP and HTTPS) content. Once a browser receives the HSTS header for your URL, it will never again attempt to request HTTP:// URLs (or until max age expires).
- You should only present an HSTS header within an HTTPS response (vs. HTTP). It would be too easy for someone to manipulate and/or erase this header if presented in an unencrypted response.
