WhiteBoard Wednesday: HTTP Strict Transport Security
In this edition of Whiteboard Wednesday, we discuss the topic of HTTP Strict Transport Security (HSTS). This interconnected world is quickly moving toward encrypting everything, and it's nice to know some of the capabilities that are available today. This video highlights what HSTS is, how it can be used, and how you can implement it using the BIG-IP. Enjoy! Related Resources: Implementing HSTS using iRules Implementing HSTS in LineRate Update - Implementing HSTS in Policy: ltm policy hsts_handling { controls { forwarding } requires { http tcp } rules { hsts_header_insert { actions { 0 { http-header response insert name Strict-Transport-Security value "max-age=31536000; includeSubDomains; preload" } } ordinal 2 } nonssl_redirect { actions { 0 { http-reply redirect location https://[HTTP::host][HTTP::uri] } } conditions { 0 { tcp port values { 80 } } } ordinal 1 } } strategy first-match }
Strict-Transport-Security (HSTS) header throws Operation not supported errors
This is my iRule to add "Strict-Transport-Security" header to my http response code. when HTTP_RESPONSE { set strictTransportSecurityHeader {Strict-Transport-Security} if { [HTTP::header exists $strictTransportSecurityHeader] } { HTTP::header remove $strictTransportSecurityHeader } HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains} } This works fine and I get this "Strict-Transport-Security: max-age=31536000; includeSubDomains" as output. But it throws warnings in monitoring tool 01220001:3: TCL error: /Common/StrictTransportSecurity_HSTS - Operation not supported (line 7) invoked from within "HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}" Errors. Any idea what might be going wrong?
HSTS / ASM connection drops
Hi All, We currently implement HSTS as an iRule on the F5, we also decrypt and inspect traffic with ASM. There are discussions internally on our side about adding HSTS to the web server responses on the actual server rather than from the F5. If we were to do this, is it possible/likely that F5 ASM decrypting the traffic will then result in connection drops? Thank you
HSTS on LTM
We are running 11.5.4 on several BIG IPs and want to implement HSTS. I understand the concept of using an iRule or a policy but I have a question. If our member web servers are doing HTTP only and SSL termination is configured on the F5, if we configure HSTS on the F5, does anything need to be done on the web servers? Thank you.
HSTS and APM (ssllabs)
hi trying to achieve a grade a+ with ssllabs for my VS that have an Access Policy bound. I'm running v12 and use the HSTS setting in the HTTP profile. Testing my website with SSLLabs, I do not get it to see the HSTS functionality. This, because the 302 redirect to /my.policy response doesn't contains the HSTS header. Has F5 overseen this use case? (I haven't seen any known issue about it on AskF5) Anyone can advice a workaround? Thanks Alex
HSTS for Custom Response page
Hi, I have HSTS enabled on a number of sites via an iRule(I have also tried on the http profile) however I have noticed that when the custom response page is tried in ASM the page does not have the HSTS header in the response. I understand that the F5 inserts the hsts information on the response from the server as it passes through the F5 back to the client but in this case the request never makes it to the server, but it does make it to the F5. The F5 blocks the requests for any number of reasons defined in the policy and responds with the custom response page. While I do see the HSTS header when browsing the site, I do not see the HSTS header when the custom response page is served. Is it possible to enable HSTS for the custom response page? One of our apps requires a number of parameters to be passed to it in order to load. If a user browses directly to the domain the custom response is served. As a result ssllabs scans do not detect HSTS.HSTS help with Server Name Identification
Hi, I created an iRule to add HSTS on my VS as shown below. This is working. when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" } Now, for my VS, I added SNI (I have the three SSL client profiles and enabled it) so my VS can respond to non-www, and www on the one IP address. SSL key is a SSL SAN key and contains the non-www and www names. When I go to SSL Labs, the non-www gets an A+. It shows HSTS is enabled. However, in the www site, SSL Labs gives it an A. It says HSTS is not enabled. What am I missing here? Thanks
HSTS domain
not really an F5 question, but i do use an iRule to insert the header :) does anyone has actual experience with HSTS* and on what level it is active? i read everywhere about the HSTS domain, so i expected that if i insert the header on a server called name.domain.ext it would be active for domain.ext. but when testing this on chrome it seems to make it active for name.domain.ext only. is this expected behavior? *) http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
