Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Simplest way to insert "Strict-Transport-Security: max-age=63072000" for all HTTP responses

Hey folks, what is the easiest way to insert that header on an HTTPS vip where we are offloading SSL?

Thanks, Jim

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

How about something like below? This solution checks to make sure the server is not already sending one before inserting the default.

when HTTP_RESPONSE {
    # If server has not sent an HSTS header, BIG-IP will
    if { !([HTTP::header exists "Strict-Transport-Security"]) } {
        HTTP::header insert "Strict-Transport-Security" "max-age=63072000"
    }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We usually implement via the HTTP profile. I'll check that the header is coming back prior to implementing but it works just fine via the profile.

Image Text

0
Comments on this Answer
Comment made 4 months ago by crodriguez

Good suggestion, Shann_P, especially if conditional checking for an existing HSTS header is not required. Conditional checking and HSTS header insertion can also be done with a Local Traffic Policy.

0
Comment made 4 months ago by Shann_P 358

Nice! I haven't gotten into the Local Traffic Policies as much but that header (as others) are coming up more and more for our PCI scans.

0