We are planning to enforce STS header for all our sites through F5 . But the problem is, we are doing SSL offloading at F5 and all content will be served over http to F5.
If we set STS on F5, won't it cause a problem doing SSL offloading as the resources might become unavailable when accessing over http?
If you configure HSTS on F5 only on client-side, your F5 will still be able to retrieve resources from HTTP backend.
If your client computer tries to reach backend server directly using HTTP and bypassing F5 their browser will complain about HSTS as soon they got the HSTS policy by reaching application through F5.
