HSTS Irule and Validating Results

Question

Good Morning, I have IRULES on the HTTP and HTTPS virtual servers to enforce HSTS, how can I test it's being inserted correctly?  I used SSL Labs but the Server Scan didn't exactly give me what I was expecting:&nbsp;
HSTS not in Chrome, Firefox, IE.&nbsp;
My config is: V11.5.3 HF2&nbsp;
**HTTP VIP IRULE
when HTTP_REQUEST {
  HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}&nbsp;
**HTTPS VIP IRULE
when RULE_INIT {
 set static::max_age 15552000
}
when HTTP_RESPONSE {
  HSTS
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
}&nbsp;
Many thanks,&nbsp;

kai_wilke · Answer

Hi Ruggerfly,&nbsp;
the provided iRule looks good. &nbsp;
You can test your HSTS setup, by accessing the web site as usual. Then close the browser and try to access the page again via plain-text HTTP. The client should immediately switch to HTTPS without sending a single HTTP request over the wire (can be verified via TCPDUMP, Fiddler2, HTTPWatch, etc. request captures). &nbsp;
Note: You may also compare the issued HSTS header and the SSL-Labs results of https://devcentral.f5.com with your results. F5 has deployed very strict SSL settings with HSTS support.&nbsp;
Cheers, Kai&nbsp;

Forum Discussion

HSTS Irule and Validating Results

1 Reply

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

POC: Validate JWT with iRule

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Intermediate iRules: Validating Your Logic

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two

iRule to accept client then SSL cert validation