For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Thomas_Schaefer's avatar
Thomas_Schaefer
Icon for Nimbostratus rankNimbostratus
Apr 03, 2018

HSTS header in policy is NOT sent when redirecting

We are inserting an HSTS header using a policy (v 12). When a request comes into our virtual server, if the URI is just /, we have an iRule that will redirect the browser to a specific application. F...
application delivery
iRules
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 04, 2018

Hello Thomas,

 

As your Irule on your http VS directly answer with a redirect (I Think that your policy is trigged in the RESPONSE event), your HTTP_RESPONSE event is never triggered because the redirect is trigged in the Request...

 

For this case you should build a specific Irule in an HTTP_REQUEST event and use the following command instead :

 

HTTP::respond 302 noserver Location "; Strict-Transport-Security "max-age=31536000"

 

You can obtain the correcte header in this request:

 

curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes

 

Because the response event is trigged and the policy can insert HSTS header

 

Regards,