Forum Discussion

Nimbostratus

Sep 02, 2010

Strict Transport Security

Hi, I have a question, dows anyone implemented Strict Transport Security (STS/HSTS). I have seen many guides to implement this on servers and so on but if you use a ADC then it would be...

config

design

JRahm

Admin

Sep 02, 2010

Most of the controls for STS seem to occur on the client end. Implementing looks to be a fairly simple iRule, inserting a header with appropriate options for your policy and limiting access to non-ssl resources on the client-side. The problem is going to be handling non-compliant browsers. I know Chrome supports it already and FF4 will have it, but what about IE and the others? That's a large chunk of site visitors, so you would need a mechanism (simple HTTP::respond with "Please use browser X, Y, Z" would work) to inform the users. It's always tricky to enforce adoption without losing users.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Strict Transport Security

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Implementing HTTP Strict Transport Security in iRules

WhiteBoard Wednesday: HTTP Strict Transport Security

Enforcing HSTS (HTTP Strict Transport Security) in LineRate

What is Transport Layer Security?

F5 Security Podcasts

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS