Forum Discussion

Nimbostratus

May 14, 2012

HSTS (HTTP Strict Transport Security)

Hi team, Was trying the HSTS irule posted in "https://devcentral.f5.com/weblogs/d...start.aspx". The vip on port 80 already had a ssl redirect irule (http to https). When the below irule...

Cirrocumulus

May 14, 2012

Ekanath,

I understand that the issue here, and how HSTS solves things, is the redirect itself being insecure. This redirect is over cleartext and, hence, susceptible to mitm attacks. HSTS will amend the initial request to https to get round this so all session info is encrypted.

Anyway, you're got an issue when using the iRule. Looking at your iRule above - have you copied it incorrectly? You seem to be missing a couple of lines which sets the variable.

Obvious one - but you'll need a vip listening on 443 too for this to work and, without double checking, do all browsers / versions support the Strict-Transport-Security? I know firefox does. I'll have to remind myself on that one too.

Hope this helps,

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

HSTS (HTTP Strict Transport Security)

Recent Discussions

APM RDP custom parameters

Reporting Help Needed

Switch ssl profile based on weak cipher detection via IRULE

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Related Content

Implementing HTTP Strict Transport Security in iRules

WhiteBoard Wednesday: HTTP Strict Transport Security

Enforcing HSTS (HTTP Strict Transport Security) in LineRate

What is Transport Layer Security?

F5 Security Podcasts

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS