For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Virtualrana_132's avatar
Virtualrana_132
Icon for Nimbostratus rankNimbostratus
Nov 07, 2014

HSTS - Header not inserted with iRule

Hi,   Following is my iRule which is attached to $mydomain$ (http) VirtualServer in F5 for HSTS, but it is not inserting the "Strict-Transport-Security" header in the http response. When I run "cu...
Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Nov 10, 2014

Your Virtual server that is listening for HTTP should have one iRule :

when HTTP_REQUEST {
set my_loc "https://[HTTP::host][HTTP::uri]"
TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n"
TCP::close
}

Your virtual server that is handing HTTPS has to have a client SSL profile and use a different iRule:

  when HTTP_RESPONSE {
    HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains"
}

If you are going to use HSTS your HTTP response should be 301 not 302. Also, the specification states that the HSTS header should only be sent by the HTTPS site.