Forum Discussion

Nimbostratus

Jun 11, 2019

How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

I need help on how to configure all the URLs that are rediected from my F5 to comply with HSTS compliant header. MY lTM version is 12.1.3

Nacreous

Jun 12, 2019

You will need to determine the best settings for HSTS for your organisation however this is an example taken from the OWASP Cheat Sheet:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md

This example will check if the HSTS header exists, if it doesn't it will be inserted. You may wish to change the logic a bit and remove the header if it does exist to ensure consistency.

when HTTP_RESPONSE {
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert name "Strict-Transport-Security" value "Strict-Transport-Security: max-age=86400; includeSubDomains"
    }
}

Let me know how you get on

Lee

Forum Discussion

How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

Recent Discussions

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

BIG-IP BGP Routing Protocol Configuration And Use Cases

Certificate Expiry Email alert configuration

Getting Started with BIG-IP Next: Configuring Instance High Availability

F5 BIG-IP SSL Orchestrator Configuration with Advanced WAFaaS

APM Configuration to Support Duo MFA using iRule