cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

A question about HSTS Mode

SivaYenduri
Cirrus
Cirrus

Hello All,

 

We have 2 webservers (prod and test) behind the F5 ltm, we wanted to enable HSTS for both the webservers.

 

On both PROD and Test, i didn't check the "Mode" checkbox. Max-age and subdomain options are enabled. But HSTS is working on Test but not on PROD.

 

After enabling the "Mode" checkbox on PROD, it is started working. The Test server which has still "Mode" unchecked is also working as per Qualys SSL Labs but it is showing a different Max-age timer and preload options which are not configured on LB.

There are no iRules configured. F5 version is 12.1.4, I'm using a Custom HTTP profile for HSTS.

 

As per the F5 document, "Mode" checkbox is mandatory and rest of the fields are optional.

 

Can someone please shed some light on this? How Test webserver passed the HSTS test? I tested both the webservers with CURL, and it is the same.

 

0 REPLIES 0