Forum Discussion

Thomas_Schaefer's avatar
Thomas_Schaefer
Icon for Nimbostratus rankNimbostratus
Apr 03, 2018

HSTS header in policy is NOT sent when redirecting

We are inserting an HSTS header using a policy (v 12). When a request comes into our virtual server, if the URI is just /, we have an iRule that will redirect the browser to a specific application. F...
application delivery
iRules
wlopez_98779's avatar
wlopez_98779
Icon for Nimbostratus rankNimbostratus
Apr 04, 2018

If you just want to insert it on all responses you can do a simple iRule like this one:

when HTTP_RESPONSE {
HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" }

If you want to insert it only when it's missing in the response you could use this iRule:

when HTTP_RESPONSE {
  if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}
Thomas_Schaefer's avatar
Thomas_Schaefer
Icon for Nimbostratus rankNimbostratus
Apr 04, 2018

According to the documentation, HTTP_RESPONSE only fires for non-local data. Hence, a HTTP::redirect is local so this event does not fire. I had tried this but it does not work.