For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

suthomas1's avatar
suthomas1
Icon for Cirrostratus rankCirrostratus
Oct 11, 2022
Solved

HTTP Strict transport

Good day all,

If the actual VM/application server has hsts enabled, is it then required to still turn on hsts in Big-IP profile?

Reason for asking is we have an application that indicates its got HSTS with the max age set, when a scan is done from the scan engines. However, on the Big-IP that fronts this application server profile does not have hsts enabled.

 

Thanks in advance.

application delivery
security
  • Lidev's avatar
    Lidev
    Oct 12, 2022

    Hi suthomas,

    if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.
    If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)

    Regards

2 Replies

  • Lidev's avatar
    Lidev
    Icon for Nacreous rankNacreous
    Oct 12, 2022

    Hi suthomas,

    if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.
    If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)

    Regards

  • LouisK's avatar
    LouisK
    Icon for MVP rankMVP
    Oct 13, 2022

    Agreeing with Lidev.  So long as one obect in the chain (host server or BIG-IP) is setting the HSTS headers you are fine.  

    As a rule of thumb, in my org we do not set these values in the BIG-IP.  That allows more control from the host/application side.  However, your milage my vary.