Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HSTS header in policy is NOT sent when redirecting

We are inserting an HSTS header using a policy (v 12). When a request comes into our virtual server, if the URI is just /, we have an iRule that will redirect the browser to a specific application. For example if the user goes to https://mysite.company.com, we send back a 302 redirect to /AppName/

A sample cURL session (with -I option) would look like this:

curl -I https://mysite.company.com HTTP/1.0 302 Found Location: /AppName/ Connection: Keep-Alive Content-Length: 0

But if I go to the redirected URL, I get the HSTS header added by the policy.

curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes

I can obviously abandon using the policy and insert the header before the redirect statement but I was trying to use a policy if possible. Is there a way to have the policy execute even after a redirect?

0
Rate this Question
Comments on this Question
Comment made 04-Apr-2018 by youssef 3608

Hello Thomas,

Why you don't insert HSTS header trough the HTTP profile (use in your VS)?

Regards,

0
Comment made 04-Apr-2018 by Thomas Schaefer 68

Originally, not all sites were ready to have the header inserted and as we share profiles, that would not work. Since all sites are now HTTPS, that could work but the question remains why the redirect seems to bypass the policy.

0
Comment made 04-Apr-2018 by Thomas Schaefer 68

Actually, I tried a few things but I must be missing something. In v12, there is an HSTS option in the HTTP profile, but I verified that does NOT get inserted when doing a redirect either. When I went to the a valid page that returned 200, I did see my value of the HSTS header. I know as I made it an odd max-age to verify.

Can it really work this way that the only way to add an HSTS header when doing a redirect is to do it manually in the iRule?

BTW, there is no option in the profile to insert a response header—just a request header.

Thanks,

Tom

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Thomas,

As your Irule on your http VS directly answer with a redirect (I Think that your policy is trigged in the RESPONSE event), your HTTP_RESPONSE event is never triggered because the redirect is trigged in the Request...

For this case you should build a specific Irule in an HTTP_REQUEST event and use the following command instead :

HTTP::respond 302 noserver Location "https://mysite.company.com/AppName/"; Strict-Transport-Security "max-age=31536000"

You can obtain the correcte header in this request:

curl -I https://mysite.company.com/AppName/ HTTP/1.1 200 Document follows Mime-Version: 1.0 Date: Tue, 03 Apr 2018 18:47:05 GMT Last-Modified: Thu, 01 Dec 2016 15:13:18 GMT Content-Length: 12381 Content-Type: text/html Server: Web Server Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes

Because the response event is trigged and the policy can insert HSTS header

Regards,

0
Comments on this Answer
Comment made 04-Apr-2018 by Thomas Schaefer 68

If that is the case, then that would imply an exception to the policy running if we do a redirect in an iRule. Do you know if that is documented anywhere in the policy or redirect documentation?

0
Comment made 04-Apr-2018 by youssef 3608

Hi,

When you perform a redirection, HSTS header is not injected. You can do it as shown in my previous post:

HTTP::respond 302 noserver Location "https://mysite.company.com/AppName/";; Strict-Transport-Security "max-age=31536000"

if you perform a redirection, is done one in HTTP_REQUEST event, and I know from my experience if you want to insert a header you have to do it in Response, Whether in HTTP profile HSTS is inserted in response from server, whether HTTP::respond where you have the posibility to respond with specific header.

I had already in the past encountered a similar use case (if user let Uri "/", I was redirecting), the auditor made me notice that the HSTS was not activated because it tested only on /...

For me it's a normal behaviour. Can I help you differently?

Regards

0
Comment made 04-Apr-2018 by Thomas Schaefer 68

As I said, this of course will work. The issue is this means that for every redirect, I have to go add this header insert. I have 50 iRules that do redirects so it is not insignificant.

This defeats the point of a policy or even the HSTS definition on the profile.

Thanks.

0
Comment made 04-Apr-2018 by youssef 3608

Hello Thomas,

I understand, in any case I do not see how to manage this use case without changing the irules. I searched but I can not find documentation specific to our context. do not hesitate to solicit me if I can help you.

Regards,

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you just want to insert it on all responses you can do a simple iRule like this one:

when HTTP_RESPONSE {
HTTP::header insert Strict-Transport-Security "max-age=15552000; includeSubDomains" }

If you want to insert it only when it's missing in the response you could use this iRule:

when HTTP_RESPONSE {
  if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains" }}
0
Comments on this Answer
Comment made 04-Apr-2018 by Thomas Schaefer 68

According to the documentation, HTTP_RESPONSE only fires for non-local data. Hence, a HTTP::redirect is local so this event does not fire. I had tried this but it does not work.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What are the rules of your policy configured for this?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What are the rules of your policy configured for this?

0
Comments on this Answer
Comment made 05-Apr-2018 by wlopez 339

Haven't used the iRules I provided in combination with policies.

Have only used them applying them directly to the virtual servers.

0
Comment made 05-Apr-2018 by Jie 2732

It's the rules configured in the policy, not the irules.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Dear,

Concerning the processing order, you should note that the iRules are evaluated after the LTM policies: https://support.f5.com/csp/article/K16590

But the event order is also important, iRule based redirect will cause any response based action not to be fired.

So if you're relying a lot more on the LTM policies, I suggest that you perform your redirects via policies as well, and include there the hsts header.

Regards.

0