HSTS help with Server Name Identification

Question

Hi,&nbsp;
I created an iRule to add HSTS on my VS as shown below.  This is working.
when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" }&nbsp;
Now, for my VS, I added SNI (I have the three SSL client profiles and enabled it) so my VS can respond to non-www, and www on the one IP address.  SSL key is a SSL SAN key and contains the non-www and www names.&nbsp;
When I go to SSL Labs, the non-www gets an A+.  It shows HSTS is enabled.  However, in the www site, SSL Labs gives it an A.  It says HSTS is not enabled.&nbsp;
What am I missing here?&nbsp;
Thanks&nbsp;

kevin_stewart · Answer

Try accessing the two sites from a browser client with Fiddler installed. See if you're getting the Strict-Transport-Security header from both sites.&nbsp;

kai_wilke · Answer

Hi Eddie,
you could try to insert the HSTS headers even for your redirects.
HTTP::respond 301 "Location" "YourTargetURL" "Strict-Transport-Security" "max-age=31536000; includeSubDomains"

Cheers, Kai

Forum Discussion

HSTS help with Server Name Identification

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

TMOS HSTS

Microsoft Exchange Server

BIGIP OAUTH : Transmit "Application id" to backend server after a successful atuthentication

SSL Heartbleed server side iRule

cs-server-addr & ss-server-addr are same !

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS