Forum Discussion
HSTS for Custom Response page
Hi, I have HSTS enabled on a number of sites via an iRule(I have also tried on the http profile) however I have noticed that when the custom response page is tried in ASM the page does not have the HSTS header in the response. I understand that the F5 inserts the hsts information on the response from the server as it passes through the F5 back to the client but in this case the request never makes it to the server, but it does make it to the F5. The F5 blocks the requests for any number of reasons defined in the policy and responds with the custom response page. While I do see the HSTS header when browsing the site, I do not see the HSTS header when the custom response page is served.
Is it possible to enable HSTS for the custom response page?
One of our apps requires a number of parameters to be passed to it in order to load. If a user browses directly to the domain the custom response is served. As a result ssllabs scans do not detect HSTS.
- Stanislas_Piro2Cumulonimbus
Is it possible to enable HSTS for the custom response page?
I guess you mean default response page.
if you change Response Type from Default Response to Custom Response, you can add HSTS header in Response Headers field.
- MohanadCirrostratus
i have the same issue with (Strict-Transport-Security Content-Security-Policy X-Frame-Options X-XSS-Protection X-Content-Type-Options Referrer-Policy )
i added the header response section but not worked :(
when HTTP_RESPONSE {
if { !([ HTTP::header exists "X-XSS-Protection" ])}{HTTP::header insert "X-XSS-Protection" "1; mode=block"}
if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }
if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400" }
if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }
if { !([ HTTP::header exists "content-security-policy " ])} { HTTP::header insert "content-security-policy" "" } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com