Forum Discussion

Cirrostratus

Jan 04, 2016

HSTS and APM (ssllabs)

hi trying to achieve a grade a+ with ssllabs for my VS that have an Access Policy bound. I'm running v12 and use the HSTS setting in the HTTP profile. Testing my website with SSLLabs, ...

BIG-IP Access Policy Manager (APM)

hsts

security

Lucas_Thompson_

Historic F5 Account

Jan 04, 2016

Strictly speaking, the HSTS header is irrelevant if the site doesn't have a corresponding "http" version. I've just now tested this scenario though, and it occurs as you describe. Interestingly, the other pages (my.policy page, etc) do honor the settings from the HTTP profile.

If you need to get around this for paperwork purposes, the following irule will get the header in there:

 workaround for F5 bug ID 565554

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {
  if { [HTTP::header Location] eq "/my.policy" } {
    HTTP::header replace "Strict-Transport-Security" "max-age=16070400 ; includeSubDomains"
  }
}

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

HSTS and APM (ssllabs)

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

HSTS is not working.

SSL Ciphers (SSLLabs) Warning

to HSTS or not to HSTS

TMOS HSTS

Enforcing HSTS (HTTP Strict Transport Security) in LineRate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS