cancel
Showing results for 
Search instead for 
Did you mean: 
ltwagnon
Legacy Employee
Legacy Employee

In this edition of Whiteboard Wednesday, we discuss the topic of HTTP Strict Transport Security (HSTS).  This interconnected world is quickly moving toward encrypting everything, and it's nice to know some of the capabilities that are available today.  This video highlights what HSTS is, how it can be used, and how you can implement it using the BIG-IP.  Enjoy!

 

 

 

Related Resources:

Implementing HSTS using iRules

Implementing HSTS in LineRate

Update - Implementing HSTS in Policy:

ltm policy hsts_handling {
    controls { forwarding }
    requires { http tcp }
    rules {
        hsts_header_insert {
            actions {
                0 {
                    http-header
                    response
                    insert
                    name Strict-Transport-Security
                    value "max-age=31536000; includeSubDomains; preload"
                }
            }
            ordinal 2
        }
        nonssl_redirect {
            actions {
                0 {
                    http-reply
                    redirect
                    location https://[HTTP::host][HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 80 }
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

 

 

Comments
mcaplin_59639
Nimbostratus
Nimbostratus
For those of us on newer versions, would you be able to link to a devcentral article that demonstrates how to implement HSTS via LTM Policy?
Will_
Nimbostratus
Nimbostratus
I see there was no response. Is there a way to implement HSTS in policy as is stated in the video?
JRahm
Community Manager
Community Manager
Hi guys, updated the article above to include an example on how the policy might be configured. Note that preload and includeSubDomains are optional, the latter which can be detrimental to your implementation if not planned carefully.
Will_
Nimbostratus
Nimbostratus
Jason, Many thanks for posting. I was able to create a policy, but this is a more elegant approach. Regards
Will_
Nimbostratus
Nimbostratus
Any idea why they did not include the preload option in the HTTP profile implementation on version 12.0?
ltwagnon
Legacy Employee
Legacy Employee
@Will: not sure why the preload option wasn't included in version 12.0. I talked to some guys here at F5 and they are putting in a request to have this option added in an upcoming release. Thanks!
Rocky213
Nimbostratus
Nimbostratus
It was added to release 12.1. Thank you !
ltwagnon
Legacy Employee
Legacy Employee
Thanks Rocky213!! Good to know!
am_gli
Altostratus
Altostratus

I'm running 12.1.2 HF1 and the "preload" setting is missing. Can't find anything in the release notes, that it was removed again... any ideas?

 

According to https://support.f5.com/csp/article/K40243113 it should be there...

 

ltwagnon
Legacy Employee
Legacy Employee

@am.gli, thanks for the question. honestly, i'm not sure why it's not there in 12.1.2. I asked around and will post here if I find any definitive answers on the change. In the meantime, you can still use an iRule to accomplish the same effect as the checkbox in the HTTP profile. Thanks!

 

ltwagnon
Legacy Employee
Legacy Employee

I asked around and found out that version 13.0 is the first to have the "preload" setting in the HTTP profile. Prior to version 13.0 you can use an iRule to accomplish any and all of the HSTS functionality.

 

Version history
Last update:
‎09-Sep-2015 12:09
Updated by:
Contributors