How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

Question

I need help on how to configure all the URLs that are rediected from my F5 to comply with HSTS compliant header.  MY lTM version is 12.1.3

lee_sutcliffe · Answer

You will need to determine the best settings for HSTS for your organisation however this is an example taken from the OWASP Cheat Sheet:https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.mdThis example will check if the HSTS header exists, if it doesn't it will be inserted. You may wish to change the logic a bit and remove the header if it does exist to ensure consistency.  when HTTP_RESPONSE {
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert name "Strict-Transport-Security" value "Strict-Transport-Security: max-age=86400; includeSubDomains"
    }
}Let me know how you get onLee

Forum Discussion

How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

Recent Discussions

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

Related Content

BIG-IP syslog include

F5 BIG-IP Advanced WAF – DOS profile configuration options.

Maintaining BIG-IP's Golden Compliance Configuration in Financial Services

BIG-IP BGP Routing Protocol Configuration And Use Cases

Certificate Expiry Email alert configuration

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS