Forum Discussion

MVP

Jun 16, 2014

HSTS domain

not really an F5 question, but i do use an iRule to insert the header :)

does anyone has actual experience with HSTS* and on what level it is active? i read everywhere about the HSTS domain, so i expected that if i insert the header on a server called name.domain.ext it would be active for domain.ext. but when testing this on chrome it seems to make it active for name.domain.ext only. is this expected behavior?

*) http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

1 Reply

boneyard
MVP
Jun 17, 2014
based on some testing (Chrome 35, FireFox 28 / 30) i determined it is set on a host basis, not domain. so when i set the header for host1.domain.ext, then it is active for host1.domain.ext only. not for domain.ext and host2.domain.ext.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

HSTS domain

1 Reply

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

External Data Group Import Failing.

F5 breaking Exchange authentication

Can F5 restrict the file types transferred via FTP?

Dump all host running services during APM logon

NGINX event logs send to F5 Data Collection Device and analysis from BIG-IQ it possible or not?

Related Content

HSTS is not working.

to HSTS or not to HSTS

Enriching AFM with public domain Threat Intelligence

TMOS HSTS

Enforcing HSTS (HTTP Strict Transport Security) in LineRate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS