Only login will be https and everything else http

Question

I'm unable to find the F5 config to meet below requirements:
- Only landing page will be https
- Once user log in to the landing page every other url will be http(80) only
As a example, you are in the test.com home page which will force to https://test.com after you log in click any url which will be http only, lets say http://test.com/contact&nbsp;
I'm unable to find any config to meet above requirements. Please help. Thank you.&nbsp;

ekaleido · Answer

Pardon the aside, but why would you ever NOT want to utilize https?&nbsp;

zafarabu_194078 · Answer

Well current app without the F5 has been configured that way so they like to meet the same requirements with F5 configuration but eventually they will move to https sooner or later.&nbsp;

ekaleido · Answer

when HTTP_REQUEST {&nbsp;
if { [HTTP::uri] ne "/" } {&nbsp;
HTTP::redirect http://[HTTP::host][HTTP::uri]&nbsp;
}&nbsp;
}&nbsp;

kevin_stewart · Answer

To add to ekaleido's comments, this is the absolute worst thing you can do. At the very least you're breaking rule 2 in the OWASP Top 10: Broken Authentication and Session Management: https://www.owasp.org/index.php/Top_10_2013-Top_10, not to mention putting an easy target on your head for several other vulnerabilities, including XSS and XSRF. &nbsp;
It's probably fair to say that your application, once authenticated, will pass a token to the user, or in some other way maintain a session, and that data will be exposed in cleartext traffic after switching back to HTTP. Please don't do this. Industry best practice suggests that if you have anything on your site worth protecting, you should protect the whole thing.&nbsp;

kevin_stewart · Answer

To add to ekaleido's comments, this is the absolute worst thing you can do. At the very least you're breaking rule 2 in the OWASP Top 10: Broken Authentication and Session Management: https://www.owasp.org/index.php/Top_10_2013-Top_10, not to mention putting an easy target on your head for several other vulnerabilities, including XSS and XSRF. &nbsp;
It's probably fair to say that your application, once authenticated, will pass a token to the user, or in some other way maintain a session, and that data will be exposed in cleartext traffic after switching back to HTTP. Please don't do this. Industry best practice suggests that if you have anything on your site worth protecting, you should protect the whole thing.&nbsp;

Forum Discussion

Only login will be https and everything else http

5 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

Related Content

HTTP 2.0 changes everything

Insufficient permissions BIG-IQ login error

Everything old is still happening - May 15th - 21st, 2023 - F5 SIRT - This Week in Security

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

F5 login banner - GUI/CLI