We are inserting an HSTS header using a policy (v 12). When a request comes into our virtual server, if the URI is just /, we have an iRule that will redirect the browser to a specific application. For example if the user goes to https://mysite.company.com, we send back a 302 redirect to /AppName/ A sample cURL session (with -I option) would look like this: curl -I https://mysite.company.com HTTP/1.0 302 Found Location: /AppName/ Connection: Keep-Alive Content-Length: 0 But if I go to the redirected URL, I get the HSTS header added by the policy. curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes I can obviously abandon using the policy and insert the header before the redirect statement but I was trying to use a policy if possible. Is there a way to have the policy execute even after a redirect?

Hello Thomas, As your Irule on your http VS directly answer with a redirect (I Think that your policy is trigged in the RESPONSE event), your HTTP_RESPONSE event is never triggered because the redirect is trigged in the Request... For this case you should build a specific Irule in an HTTP_REQUEST event and use the following command instead : HTTP::respond 302 noserver Location "; Strict-Transport-Security "max-age=31536000" You can obtain the correcte header in this request: curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes Because the response event is trigged and the policy can insert HSTS header Regards,

Hello Thomas, Why you don't insert HSTS header trough the HTTP profile (use in your VS)? Regards,

Originally, not all sites were ready to have the header inserted and as we share profiles, that would not work. Since all sites are now HTTPS, that could work but the question remains why the redirect seems to bypass the policy.

Actually, I tried a few things but I must be missing something. In v12, there is an HSTS option in the HTTP profile, but I verified that does NOT get inserted when doing a redirect either. When I went to the a valid page that returned 200, I did see my value of the HSTS header. I know as I made it an odd max-age to verify. Can it really work this way that the only way to add an HSTS header when doing a redirect is to do it manually in the iRule? BTW, there is no option in the profile to insert a response header—just a request header. Thanks, Tom

If you just want to insert it on all responses you can do a simple iRule like this one: when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" } If you want to insert it only when it's missing in the response you could use this iRule: when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}

HSTS header in policy is NOT sent when redirecting

11 Replies

youssef1
Cumulonimbus
Apr 04, 2018
Hello Thomas,

As your Irule on your http VS directly answer with a redirect (I Think that your policy is trigged in the RESPONSE event), your HTTP_RESPONSE event is never triggered because the redirect is trigged in the Request...

For this case you should build a specific Irule in an HTTP_REQUEST event and use the following command instead :

HTTP::respond 302 noserver Location "; Strict-Transport-Security "max-age=31536000"

You can obtain the correcte header in this request:

curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes

Because the response event is trigged and the policy can insert HSTS header

Regards,
youssef1
Cumulonimbus
Apr 04, 2018
Hello Thomas,

Why you don't insert HSTS header trough the HTTP profile (use in your VS)?

Regards,
Thomas_Schaefer
Nimbostratus
Apr 04, 2018
Originally, not all sites were ready to have the header inserted and as we share profiles, that would not work. Since all sites are now HTTPS, that could work but the question remains why the redirect seems to bypass the policy.
Thomas_Schaefer
Nimbostratus
Apr 04, 2018
Actually, I tried a few things but I must be missing something. In v12, there is an HSTS option in the HTTP profile, but I verified that does NOT get inserted when doing a redirect either. When I went to the a valid page that returned 200, I did see my value of the HSTS header. I know as I made it an odd max-age to verify.

Can it really work this way that the only way to add an HSTS header when doing a redirect is to do it manually in the iRule?

BTW, there is no option in the profile to insert a response header—just a request header.

Thanks,

Tom
wlopez_98779
Nimbostratus
Apr 04, 2018
If you just want to insert it on all responses you can do a simple iRule like this one:

when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" }

If you want to insert it only when it's missing in the response you could use this iRule:

when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}
- Thomas_Schaefer
  Nimbostratus
  Apr 04, 2018
  According to the documentation, HTTP_RESPONSE only fires for non-local data. Hence, a HTTP::redirect is local so this event does not fire. I had tried this but it does not work.
wlopez
Cirrocumulus
Apr 04, 2018
If you just want to insert it on all responses you can do a simple iRule like this one:

when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" }

If you want to insert it only when it's missing in the response you could use this iRule:

when HTTP_RESPONSE { if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}
- Thomas_Schaefer
  Nimbostratus
  Apr 04, 2018
  According to the documentation, HTTP_RESPONSE only fires for non-local data. Hence, a HTTP::redirect is local so this event does not fire. I had tried this but it does not work.
JG
Cumulonimbus
Apr 05, 2018
What are the rules of your policy configured for this?
JG
Cumulonimbus
Apr 05, 2018
What are the rules of your policy configured for this?
Abdessamad1
Cirrostratus
Apr 06, 2018
Dear,

Concerning the processing order, you should note that the iRules are evaluated after the LTM policies: https://support.f5.com/csp/article/K16590

But the event order is also important, iRule based redirect will cause any response based action not to be fired.

So if you're relying a lot more on the LTM policies, I suggest that you perform your redirects via policies as well, and include there the hsts header.

Regards.

Forum Discussion

HSTS header in policy is NOT sent when redirecting

11 Replies

Recent Discussions

Inquiry on F5's Maintenance Mode Feature for Pool Members

To check the pool members logs using ihealth

F5 APM Oauth2.0 access policy not working for JWT token

IP Intelligence

Force peer to standby using Ansible!?

Related Content

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

iRule to modify a content-security-policy header

Auditing Security Policy Updates

URI host header redirect failing

Why do we redirect the host header during the time of request in policy/irule ?