Forum Discussion

EddieJK_26590's avatar
EddieJK_26590
Icon for Nimbostratus rankNimbostratus
Nov 14, 2016

HSTS help with Server Name Identification

Hi,

 

I created an iRule to add HSTS on my VS as shown below. This is working. when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" }

 

Now, for my VS, I added SNI (I have the three SSL client profiles and enabled it) so my VS can respond to non-www, and www on the one IP address. SSL key is a SSL SAN key and contains the non-www and www names.

 

When I go to SSL Labs, the non-www gets an A+. It shows HSTS is enabled. However, in the www site, SSL Labs gives it an A. It says HSTS is not enabled.

 

What am I missing here?

 

Thanks

 

  • Try accessing the two sites from a browser client with Fiddler installed. See if you're getting the Strict-Transport-Security header from both sites.

     

  • Hi Eddie,

    you could try to insert the HSTS headers even for your redirects.

    HTTP::respond 301 "Location" "YourTargetURL" "Strict-Transport-Security" "max-age=31536000; includeSubDomains"
    

    Cheers, Kai