WhiteBoard Wednesday: HTTP Strict Transport Security

In this edition of Whiteboard Wednesday, we discuss the topic of HTTP Strict Transport Security (HSTS).  This interconnected world is quickly moving toward encrypting everything, and it's nice to know some of the capabilities that are available today.  This video highlights what HSTS is, how it can be used, and how you can implement it using the BIG-IP.  Enjoy!

 

 

 

Related Resources:

Implementing HSTS using iRules

Implementing HSTS in LineRate

Update - Implementing HSTS in Policy:

ltm policy hsts_handling {
    controls { forwarding }
    requires { http tcp }
    rules {
        hsts_header_insert {
            actions {
                0 {
                    http-header
                    response
                    insert
                    name Strict-Transport-Security
                    value "max-age=31536000; includeSubDomains; preload"
                }
            }
            ordinal 2
        }
        nonssl_redirect {
            actions {
                0 {
                    http-reply
                    redirect
                    location https://[HTTP::host][HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 80 }
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

 

 

Published Sep 09, 2015
Version 1.0
hsts
iRules
LTM
security
wbw
  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    Aug 23, 2017

    I asked around and found out that version 13.0 is the first to have the "preload" setting in the HTTP profile. Prior to version 13.0 you can use an iRule to accomplish any and all of the HSTS functionality.