We are inserting an HSTS header using a policy (v 12). When a request comes into our virtual server, if the URI is just /, we have an iRule that will redirect the browser to a specific application. For example if the user goes to https://mysite.company.com, we send back a 302 redirect to /AppName/ A sample cURL session (with -I option) would look like this: curl -I https://mysite.company.com HTTP/1.0 302 Found Location: /AppName/ Connection: Keep-Alive Content-Length: 0 But if I go to the redirected URL, I get the HSTS header added by the policy. curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes I can obviously abandon using the policy and insert the header before the redirect statement but I was trying to use a policy if possible. Is there a way to have the policy execute even after a redirect?

Hello Thomas, As your Irule on your http VS directly answer with a redirect (I Think that your policy is trigged in the RESPONSE event), your HTTP_RESPONSE event is never triggered because the redirect is trigged in the Request... For this case you should build a specific Irule in an HTTP_REQUEST event and use the following command instead : HTTP::respond 302 noserver Location "; Strict-Transport-Security "max-age=31536000" You can obtain the correcte header in this request: curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes Because the response event is trigged and the policy can insert HSTS header Regards,

Hello Thomas, Why you don't insert HSTS header trough the HTTP profile (use in your VS)? Regards,

Originally, not all sites were ready to have the header inserted and as we share profiles, that would not work. Since all sites are now HTTPS, that could work but the question remains why the redirect seems to bypass the policy.

Actually, I tried a few things but I must be missing something. In v12, there is an HSTS option in the HTTP profile, but I verified that does NOT get inserted when doing a redirect either. When I went to the a valid page that returned 200, I did see my value of the HSTS header. I know as I made it an odd max-age to verify. Can it really work this way that the only way to add an HSTS header when doing a redirect is to do it manually in the iRule? BTW, there is no option in the profile to insert a response header—just a request header. Thanks, Tom

If you just want to insert it on all responses you can do a simple iRule like this one: when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" } If you want to insert it only when it's missing in the response you could use this iRule: when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}

HSTS header in policy is NOT sent when redirecting

youssef1
Cumulonimbus
Apr 04, 2018
Hello Thomas,

Why you don't insert HSTS header trough the HTTP profile (use in your VS)?

Regards,
Thomas_Schaefer
Nimbostratus
Apr 04, 2018
Originally, not all sites were ready to have the header inserted and as we share profiles, that would not work. Since all sites are now HTTPS, that could work but the question remains why the redirect seems to bypass the policy.
youssef1
Cumulonimbus
Apr 04, 2018
Hello Thomas,

As your Irule on your http VS directly answer with a redirect (I Think that your policy is trigged in the RESPONSE event), your HTTP_RESPONSE event is never triggered because the redirect is trigged in the Request...

For this case you should build a specific Irule in an HTTP_REQUEST event and use the following command instead :

HTTP::respond 302 noserver Location "; Strict-Transport-Security "max-age=31536000"

You can obtain the correcte header in this request:

curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes

Because the response event is trigged and the policy can insert HSTS header

Regards,
Thomas_Schaefer
Nimbostratus
Apr 04, 2018
Actually, I tried a few things but I must be missing something. In v12, there is an HSTS option in the HTTP profile, but I verified that does NOT get inserted when doing a redirect either. When I went to the a valid page that returned 200, I did see my value of the HSTS header. I know as I made it an odd max-age to verify.

Can it really work this way that the only way to add an HSTS header when doing a redirect is to do it manually in the iRule?

BTW, there is no option in the profile to insert a response header—just a request header.

Thanks,

Tom
wlopez_98779
Nimbostratus
Apr 04, 2018
If you just want to insert it on all responses you can do a simple iRule like this one:

when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" }

If you want to insert it only when it's missing in the response you could use this iRule:

when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}
- Thomas_Schaefer
  Nimbostratus
  Apr 04, 2018
  According to the documentation, HTTP_RESPONSE only fires for non-local data. Hence, a HTTP::redirect is local so this event does not fire. I had tried this but it does not work.
wlopez
Cirrocumulus
Apr 04, 2018
If you just want to insert it on all responses you can do a simple iRule like this one:

when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" }

If you want to insert it only when it's missing in the response you could use this iRule:

when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}
- Thomas_Schaefer
  Nimbostratus
  Apr 04, 2018
  According to the documentation, HTTP_RESPONSE only fires for non-local data. Hence, a HTTP::redirect is local so this event does not fire. I had tried this but it does not work.
JG
Cumulonimbus
Apr 05, 2018
What are the rules of your policy configured for this?
JG
Cumulonimbus
Apr 05, 2018
What are the rules of your policy configured for this?
Abdessamad1
Cirrostratus
Apr 06, 2018
Dear,

Concerning the processing order, you should note that the iRules are evaluated after the LTM policies: https://support.f5.com/csp/article/K16590

But the event order is also important, iRule based redirect will cause any response based action not to be fired.

So if you're relying a lot more on the LTM policies, I suggest that you perform your redirects via policies as well, and include there the hsts header.

Regards.

Forum Discussion

HSTS header in policy is NOT sent when redirecting

Recent Discussions

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

F5 LTM listening on 3306

SNI Sites not taking correct certificate.

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

irule to enable http/2 acceleration

Related Content

(HTTP) Redirection via Arbitrary Host Header

iRule to modify a content-security-policy header

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

Insert header for APM policy

F5 & Cisco ACI Essentials - Take advantage of Policy Based Redirect

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS