We have 2 webservers (prod and test) behind the F5 ltm, we wanted to enable HSTS for both the webservers.
On both PROD and Test, i didn't check the "Mode" checkbox. Max-age and subdomain options are enabled. But HSTS is working on Test but not on PROD.
After enabling the "Mode" checkbox on PROD, it is started working. The Test server which has still "Mode" unchecked is also working as per Qualys SSL Labs but it is showing a different Max-age timer and preload options which are not configured on LB.
There are no iRules configured. F5 version is 12.1.4, I'm using a Custom HTTP profile for HSTS.
As per the F5 document, "Mode" checkbox is mandatory and rest of the fields are optional.
Can someone please shed some light on this? How Test webserver passed the HSTS test? I tested both the webservers with CURL, and it is the same.