cancel
Showing results for 
Search instead for 
Did you mean: 

to HSTS or not to HSTS

Julio_Navarro
Cirrostratus
Cirrostratus

Hello, we have several 100's applications where are only exposed on port 443 with its proper certificate. We don't have any VIP on other port redirect to 443. Now, enabling HSTS will bring me more security against man-in-the-middle. However, I have read that we have to make sure that "the code does not have any reference to http (80)". If I am offloading, in theory, there no reference to http as the F5 is offloading and HSTS will not break anything or would it?

 

Thank you and be safe

 

J

1 ACCEPTED SOLUTION

wlopez
Cirrostratus
Cirrostratus

An important thing to consider with your application development teams is that they need to make sure their code doesn't include calls for the client's browser to load things like (Ex. javascript, fonts, google analytics) from third party locations without https.

You might run into situations where you insert the header in the responses and then the client's browser will fail to load fonts o plugins from http reference links, which might degrade the application's performance or break the application alltogheter.

Ideally you should test this on non-production environments first.

 

Hope that helps.

View solution in original post

2 REPLIES 2

Hello Julio.

 

HSTS header is only interpreted by client's browser. So, you only need to enable it during the clientside communciation (HTTP_RESPONSE).

On the other hand, you can offload traffic between F5 and backend server without any kind issue.

 

Regards,

Dario.

Regards,
Dario.

wlopez
Cirrostratus
Cirrostratus

An important thing to consider with your application development teams is that they need to make sure their code doesn't include calls for the client's browser to load things like (Ex. javascript, fonts, google analytics) from third party locations without https.

You might run into situations where you insert the header in the responses and then the client's browser will fail to load fonts o plugins from http reference links, which might degrade the application's performance or break the application alltogheter.

Ideally you should test this on non-production environments first.

 

Hope that helps.