Forum Discussion

suthomas1's avatar
suthomas1
Icon for Cirrostratus rankCirrostratus
Oct 11, 2022

HTTP Strict transport

Good day all,

If the actual VM/application server has hsts enabled, is it then required to still turn on hsts in Big-IP profile?

Reason for asking is we have an application that indicates its got HSTS with the max age set, when a scan is done from the scan engines. However, on the Big-IP that fronts this application server profile does not have hsts enabled.

 

Thanks in advance.

application delivery
security
  • Lidev's avatar
    Lidev
    Oct 12, 2022

    Hi suthomas,

    if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.
    If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)

    Regards

  • Lidev's avatar
    Lidev
    Icon for MVP rankMVP
    Oct 12, 2022

    Hi suthomas,

    if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.
    If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)

    Regards

  • LouisK's avatar
    LouisK
    Icon for MVP rankMVP
    Oct 13, 2022

    Agreeing with Lidev.  So long as one obect in the chain (host server or BIG-IP) is setting the HSTS headers you are fine.  

    As a rule of thumb, in my org we do not set these values in the BIG-IP.  That allows more control from the host/application side.  However, your milage my vary.