Forum Discussion

Cirrostratus

Oct 11, 2022

HTTP Strict transport

Good day all, If the actual VM/application server has hsts enabled, is it then required to still turn on hsts in Big-IP profile? Reason for asking is we have an application that indicates its got H...

application delivery

security

Lidev
Oct 12, 2022
Hi suthomas,

if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.
If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)

Regards

LouisK

MVP

Oct 13, 2022

Agreeing with Lidev. So long as one obect in the chain (host server or BIG-IP) is setting the HSTS headers you are fine.

As a rule of thumb, in my org we do not set these values in the BIG-IP. That allows more control from the host/application side. However, your milage my vary.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

HTTP Strict transport

Recent Discussions

फोनपे में गलत ट्रांजेक्शन

फोनपे में गलत ट्रांजेक्शन

फोनपे में गलत ट्रांजेक्शन

F5 101 EXAM

GEARHEAD ENGINEERS ORG: HOW TO GET YOUR BITCOIN OR ANY OTHER CRYPTOCURRENCY BACK FROM A SCAMMER.

Related Content

Encrypted cookies on strict uri

Strict Transport Security

SNAT Preserve-Strict not working with two different source addresses

'SameSite=strict' attribute to cookies

https end to end

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS