HSTS - Header not inserted with iRule

STS header is relative from time of delivery, should be for minimum of one year, so there's no need for using [clock seconds] in the calculation - just use a flat value of 31536000 (1 year) and be done with it;-

when HTTP_RESPONSE {
   HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains;"
}

But why it is working for owa vs and does not work for ibank vs

I used curl tool to check for isertion (sucess fir owa but ibank not)

Iis or apacthe server shall be also activate hsts??

When you say "it's working" do you mean Qualys say it's valid, or that you can see the header inserted? Can you send curl response headers for these 2 vs so we can see the difference?

For owa (that is working)

1) by using curl tool , it shows our rule is working based on output we can find strict transport and timer 2) for qualys , it give us invlaid

For ibank

1) by using curle we can not find header strect transport

2)by using qulays it give us no on hsts checker

Is there anything in the response flow AFTER the F5 and the HTTP_RESPONSE event that could remove the header? Does the iBank virtual server have an http profile that specifies 'Response Headers Allowed', as if so it would be removing the STS header after you insert it (unless you update the profile to include Strict-Transport-Security).

So you'll just need to debug why it's not appearing at all for iBank. Ad the following statement immediately after the header insertion in HTTP_RESPONSE;-

   log local0. "STS:'[HTTP::header Strict-Transport-Security]'"

You can look at the log entries in /var/log/ltm.

I Will check it