Forum Discussion

DJDX21_252164's avatar
DJDX21_252164
Icon for Cirrus rankCirrus
May 17, 2016

Strict-Transport-Security (HSTS) header throws Operation not supported errors

This is my iRule to add "Strict-Transport-Security" header to my http response code.   when HTTP_RESPONSE { set strictTransportSecurityHeader {Strict-Transport-Security} if { [HTTP::head...
BIG-IP
devops
hsts
iRules
security
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
May 18, 2016

Since you mentioned you have other iRules.

https://devcentral.f5.com/wiki/irules.HTTP__header.ashx

HTTP::header insert ...
If this command is executed after issuing the HTTP::redirect or HTTP::respond command, the F5 will become confused, generate an "Operation Not Supported" TCL error and reset the connection.

Do you issue redirects or responses from the other iRules?

  • DJDX21_252164's avatar
    DJDX21_252164
    Icon for Cirrus rankCirrus
    May 18, 2016
    Yeah, I other iRules I have http to https redirects and some http::respond too... Now how do I overcome the error I need those iRules too???
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    May 18, 2016
    After each redirect or response statement in the other iRules, use 'event disable HTTP_RESPONSE' function. If you structure the iRule well, you can get away by specifying it just once. You can also merge your iRules so the use of this function can be avoided. This kind of change can take your app down, make sure you test in QA. Also check out Stanislas answer, he's right that you will not need to use HSTS iRule on HTTP VS. If possible, create a dedicated HTTPS VS (if you don't have yet), and use the HSTS iRule there.