HSTS header in policy is NOT sent when redirecting
We are inserting an HSTS header using a policy (v 12). When a request comes into our virtual server, if the URI is just /, we have an iRule that will redirect the browser to a specific application. For example if the user goes to https://mysite.company.com, we send back a 302 redirect to /AppName/
A sample cURL session (with -I option) would look like this:
curl -I https://mysite.company.com HTTP/1.0 302 Found Location: /AppName/ Connection: Keep-Alive Content-Length: 0
But if I go to the redirected URL, I get the HSTS header added by the policy.
curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
I can obviously abandon using the policy and insert the header before the redirect statement but I was trying to use a policy if possible. Is there a way to have the policy execute even after a redirect?