Forum Discussion

Cirrostratus

Oct 11, 2022

HTTP Strict transport

Good day all, If the actual VM/application server has hsts enabled, is it then required to still turn on hsts in Big-IP profile? Reason for asking is we have an application that indicates its got H...

application delivery

security

Lidev
Oct 12, 2022
Hi suthomas,

if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.
If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)

Regards

LouisK

MVP

Oct 13, 2022

Agreeing with Lidev. So long as one obect in the chain (host server or BIG-IP) is setting the HSTS headers you are fine.

As a rule of thumb, in my org we do not set these values in the BIG-IP. That allows more control from the host/application side. However, your milage my vary.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

HTTP Strict transport

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Strict-Transport-Security (HSTS) header throws Operation not supported errors

HSTS (HTTP Strict Transport Security) and SSL Forward Proxy

Http redirection

HTTP and HTTPS from same VS

Simplest way to insert "Strict-Transport-Security: max-age=63072000" for all HTTP responses

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS