How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

Question

I need help on how to configure all the URLs that are rediected from my F5 to comply with HSTS compliant header.  MY lTM version is 12.1.3

lee_sutcliffe · Answer

You will need to determine the best settings for HSTS for your organisation however this is an example taken from the OWASP Cheat Sheet:https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.mdThis example will check if the HSTS header exists, if it doesn't it will be inserted. You may wish to change the logic a bit and remove the header if it does exist to ensure consistency.  when HTTP_RESPONSE {
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert name "Strict-Transport-Security" value "Strict-Transport-Security: max-age=86400; includeSubDomains"
    }
}Let me know how you get onLee

Forum Discussion

How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

BIG-IP syslog include

wccp configuration for SSL Orchestrator

F5 BIG-IP Advanced WAF – DOS profile configuration options.

APM Configuration to Support Duo MFA using iRule

In F5 APM, how to include multiple DNS suffix?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS