For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Godswill's avatar
Godswill
Icon for Nimbostratus rankNimbostratus
Jun 11, 2019

How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

I need help on how to configure all the URLs that are rediected from my F5 to comply with HSTS compliant header. MY lTM version is 12.1.3
application delivery
iRules
LTM
security
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Jun 12, 2019

You will need to determine the best settings for HSTS for your organisation however this is an example taken from the OWASP Cheat Sheet:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md

This example will check if the HSTS header exists, if it doesn't it will be inserted. You may wish to change the logic a bit and remove the header if it does exist to ensure consistency. 

when HTTP_RESPONSE {
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert name "Strict-Transport-Security" value "Strict-Transport-Security: max-age=86400; includeSubDomains"
    }
}

Let me know how you get on

Lee