hsts
8 TopicsStrict-Transport-Security (HSTS) header throws Operation not supported errors
This is my iRule to add "Strict-Transport-Security" header to my http response code. when HTTP_RESPONSE { set strictTransportSecurityHeader {Strict-Transport-Security} if { [HTTP::header exists $strictTransportSecurityHeader] } { HTTP::header remove $strictTransportSecurityHeader } HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains} } This works fine and I get this "Strict-Transport-Security: max-age=31536000; includeSubDomains" as output. But it throws warnings in monitoring tool 01220001:3: TCL error: /Common/StrictTransportSecurity_HSTS - Operation not supported (line 7) invoked from within "HTTP::header insert $strictTransportSecurityHeader {max-age=31536000; includeSubDomains}" Errors. Any idea what might be going wrong?779Views0likes10Commentsto HSTS or not to HSTS
Hello, we have several 100's applications where are only exposed on port 443 with its proper certificate. We don't have any VIP on other port redirect to 443. Now, enabling HSTS will bring me more security against man-in-the-middle. However, I have read that we have to make sure that "the code does not have any reference to http (80)". If I am offloading, in theory, there no reference to http as the F5 is offloading and HSTS will not break anything or would it? Thank you and be safe JSolved657Views1like2CommentsHSTS / ASM connection drops
Hi All, We currently implement HSTS as an iRule on the F5, we also decrypt and inspect traffic with ASM. There are discussions internally on our side about adding HSTS to the web server responses on the actual server rather than from the F5. If we were to do this, is it possible/likely that F5 ASM decrypting the traffic will then result in connection drops? Thank you521Views0likes4CommentsHSTS on LTM
We are running 11.5.4 on several BIG IPs and want to implement HSTS. I understand the concept of using an iRule or a policy but I have a question. If our member web servers are doing HTTP only and SSL termination is configured on the F5, if we configure HSTS on the F5, does anything need to be done on the web servers? Thank you.454Views0likes4CommentsHSTS for Custom Response page
Hi, I have HSTS enabled on a number of sites via an iRule(I have also tried on the http profile) however I have noticed that when the custom response page is tried in ASM the page does not have the HSTS header in the response. I understand that the F5 inserts the hsts information on the response from the server as it passes through the F5 back to the client but in this case the request never makes it to the server, but it does make it to the F5. The F5 blocks the requests for any number of reasons defined in the policy and responds with the custom response page. While I do see the HSTS header when browsing the site, I do not see the HSTS header when the custom response page is served. Is it possible to enable HSTS for the custom response page? One of our apps requires a number of parameters to be passed to it in order to load. If a user browses directly to the domain the custom response is served. As a result ssllabs scans do not detect HSTS.406Views0likes2CommentsHSTS help with Server Name Identification
Hi, I created an iRule to add HSTS on my VS as shown below. This is working. when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains" } Now, for my VS, I added SNI (I have the three SSL client profiles and enabled it) so my VS can respond to non-www, and www on the one IP address. SSL key is a SSL SAN key and contains the non-www and www names. When I go to SSL Labs, the non-www gets an A+. It shows HSTS is enabled. However, in the www site, SSL Labs gives it an A. It says HSTS is not enabled. What am I missing here? Thanks400Views0likes2CommentsHSTS and APM (ssllabs)
hi trying to achieve a grade a+ with ssllabs for my VS that have an Access Policy bound. I'm running v12 and use the HSTS setting in the HTTP profile. Testing my website with SSLLabs, I do not get it to see the HSTS functionality. This, because the 302 redirect to /my.policy response doesn't contains the HSTS header. Has F5 overseen this use case? (I haven't seen any known issue about it on AskF5) Anyone can advice a workaround? Thanks Alex420Views0likes4CommentsHSTS domain
not really an F5 question, but i do use an iRule to insert the header :) does anyone has actual experience with HSTS* and on what level it is active? i read everywhere about the HSTS domain, so i expected that if i insert the header on a server called name.domain.ext it would be active for domain.ext. but when testing this on chrome it seems to make it active for name.domain.ext only. is this expected behavior? *) http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security185Views0likes1Comment