Forum Discussion

Cirrostratus

Oct 11, 2022

Solved

HTTP Strict transport

Good day all, If the actual VM/application server has hsts enabled, is it then required to still turn on hsts in Big-IP profile? Reason for asking is we have an application that indicates its got H...

application delivery

security

Lidev
Oct 12, 2022
Hi suthomas,

if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.
If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)

Regards

LouisK

MVP

Oct 13, 2022

Agreeing with Lidev. So long as one obect in the chain (host server or BIG-IP) is setting the HSTS headers you are fine.

As a rule of thumb, in my org we do not set these values in the BIG-IP. That allows more control from the host/application side. However, your milage my vary.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

HTTP Strict transport

F5 Academy at AppWorld 2026

Kostas Injeyan - October 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Adding metadata to certificates objects

SSL Offloading and Backend pool https

Strict header Insertion

Terraform AS3 code for GTM Only.

Behavior of masterkey on rSeries

Related Content

Implementing HTTP Strict Transport Security in iRules

WhiteBoard Wednesday: HTTP Strict Transport Security

Enforcing HSTS (HTTP Strict Transport Security) in LineRate

F5 HTTPS Redirect 2025

What is Transport Layer Security?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS