negin
Jun 06, 2019Altostratus
HSTS
Hello Dear when enable HSTS in profile insert HSTS in header but when test with ssl lab and another tools for test hsts show there is not hsts.How can I fix this problem? my firmware f5 is 12.1.2 ...
this IRULE HSTS:
when RULE_INIT {
set static::expires [clock scan 20200926]
}
when HTTP_RESPONSE {
HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains"
}
I recommend you to check this video ->
https://www.youtube.com/watch?v=XoYp5e4kRW4
To test it, you need to check it using curl (see video) or using advanced browsing
>>Right Click Chrome Browser>>Inspect>>Network
>>Righ Click Mozilla Browser>>Inspect Element>>Network
KR,
Dario.
Hello Dear
when I Checked with curl and inspect Element firefox show hsts but when use ssl lab and burp suite for check does not display hsts.
For me, everything seems to be working perfectly from F5 perspective.
If you are receiving an MITM ERROR MESSAGE when you use Burp is totally normal, because Burp is The Man In The Middle and maybe it is trying to downgrade you communication to HTTP.
The problem is your scenario, not the HSTS solution.
Hello Dear
i have watched links and test again but hsts does not apply to my web site ,in the attached photo ,the difference between the site and google site was shown in the hsts.
What do you mean with "hsts does not apply to my web site"?
Actually as we saw before, HSTS is working normally and your F5 solution is OK.
Your problem it's only in your Burp/Browser connection. Because Burp maybe removes the HSTS strip. So, I recommend you to search on internet (google) trying to find a solution.
For example, I have just done it now and I found this ->
https://support.portswigger.net/customer/portal/questions/16358057-not-supporting-hsts
Taking into account that this is not a F5 related issue, that's all help I can share with you.
BTW, I would appreciate if you score my answer to compensate my time and effort :-).
KR,
Dario.