For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Edher_Espinosa1's avatar
Edher_Espinosa1
Icon for Nimbostratus rankNimbostratus
May 14, 2018

Skip HSTS/HPKP header error

Hi Guys!   I have the next scenario:   User - ONT - Router - F5 - Firewall - Servers (Captive portal)   I need implement a captive portal for Internet access, I have a LTM module activated a...
application delivery
LTM
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
May 14, 2018

HSTS HTTP Strict Transport Security tells the browser that the site must be only accessed via HTTPS (for the lifetime of the policy).

 

HPKP HTTP Public Key Pinning is an HTTP header that provides the public keys to the browser, so that the browser can independently verify the public key certificate provided from an HTTPS server. This mechanism prevents MITM and server spoofing.

 

Does anyone know if its possible to skip this HSTS/HPKP header error?

 

Not really - they are security mechanisms intended to warn users that they are being directed to a site that is not their intended destination.

 

You need to rely on the Browser/OS Captive Portal Detection mechanisms to prevent the HTTPS request blocking that you are seeing.