For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 16, 2014

HSTS domain

not really an F5 question, but i do use an iRule to insert the header :)

 

does anyone has actual experience with HSTS* and on what level it is active? i read everywhere about the HSTS domain, so i expected that if i insert the header on a server called name.domain.ext it would be active for domain.ext. but when testing this on chrome it seems to make it active for name.domain.ext only. is this expected behavior?

 

*) http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

 

application delivery
design
devops
hsts
iRules
LTM
security

1 Reply

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 17, 2014

    based on some testing (Chrome 35, FireFox 28 / 30) i determined it is set on a host basis, not domain. so when i set the header for host1.domain.ext, then it is active for host1.domain.ext only. not for domain.ext and host2.domain.ext.