hsts scan result none

Question

We implemented hsts via irule. The ltm logs says headers are inserting but SSL labs results shows none. We tested the in chrome and can see the header values. Below is the rule.

HSTS for http vs:

when HTTP_REQUEST {

if { [ HTTP::has_responded]} {return}

HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"

}

HSTS for https vs:

when RULE_INIT {

set static::expires [clock scan "12 month"] }

when HTTP_RESPONSE {

HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains;preload"

log local0. "hsts Inserted" }

Any idea why its not flagged in scan results.

nandhi · Answer

Hi Edward,The hsts already added via irule to the specific vs. We can see the inserted header in GET response and browser developer tools. But ssl labs not able to identify it (showing none).&nbsp;

p_kueppers · Answer

Why you insert it via irule and not via http profile? are you testing your http:// url or https:// url on ssllabs? Is there maybe any redirect going on and ssllabs isnt doing that redirect, but browser does?

liefzimmerman · Answer

That previous reply was a spammer. Sorry for the confusion.

Forum Discussion

hsts scan result none

3 Replies

Recent Discussions

BWC iRule

Citrix XenServer Big-IP Upgrade help

iRule condition - request contains more than 10000 parameters

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Advanced iRules: Scan

Advanced iRules: Binary Scan

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two