HTTP Strict transport

Question

Good day all,If the actual VM/application server has hsts enabled, is it then required to still turn on hsts in Big-IP profile?Reason for asking is we have an application that indicates its got HSTS with the max age set, when a scan is done from the scan engines. However, on the Big-IP that fronts this application server profile does not have hsts enabled.&nbsp;Thanks in advance.

lidev · Accepted Answer

Hi suthomas,
if you enable HTS header on your F5 BIG-IP, you will face the problem of the double Strict-Transport-Security headers.If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), the UA process only the first (https://www.rfc-editor.org/rfc/rfc6797#section-8.1)
Regards

louisk · Answer

Agreeing with&nbsp;Lidev.&nbsp; So long as one obect in the chain (host server or BIG-IP) is setting the HSTS headers you are fine.&nbsp;&nbsp;
As a rule of thumb, in my org we do not&nbsp;set these values in the BIG-IP.&nbsp; That allows more control from the host/application side.&nbsp; However, your milage my vary.

Forum Discussion

HTTP Strict transport

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Implementing HTTP Strict Transport Security in iRules

WhiteBoard Wednesday: HTTP Strict Transport Security

Enforcing HSTS (HTTP Strict Transport Security) in LineRate

What is Transport Layer Security?

HTTP Multipart and Security Implications