on 09-Sep-2015 12:09
In this edition of Whiteboard Wednesday, we discuss the topic of HTTP Strict Transport Security (HSTS). This interconnected world is quickly moving toward encrypting everything, and it's nice to know some of the capabilities that are available today. This video highlights what HSTS is, how it can be used, and how you can implement it using the BIG-IP. Enjoy!
Related Resources:
Implementing HSTS using iRules
Update - Implementing HSTS in Policy:
ltm policy hsts_handling { controls { forwarding } requires { http tcp } rules { hsts_header_insert { actions { 0 { http-header response insert name Strict-Transport-Security value "max-age=31536000; includeSubDomains; preload" } } ordinal 2 } nonssl_redirect { actions { 0 { http-reply redirect location https://[HTTP::host][HTTP::uri] } } conditions { 0 { tcp port values { 80 } } } ordinal 1 } } strategy first-match }
I'm running 12.1.2 HF1 and the "preload" setting is missing. Can't find anything in the release notes, that it was removed again... any ideas?
According to https://support.f5.com/csp/article/K40243113 it should be there...
@am.gli, thanks for the question. honestly, i'm not sure why it's not there in 12.1.2. I asked around and will post here if I find any definitive answers on the change. In the meantime, you can still use an iRule to accomplish the same effect as the checkbox in the HTTP profile. Thanks!
I asked around and found out that version 13.0 is the first to have the "preload" setting in the HTTP profile. Prior to version 13.0 you can use an iRule to accomplish any and all of the HSTS functionality.