How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

Question

I need help on how to configure all the URLs that are rediected from my F5 to comply with HSTS compliant header.  MY lTM version is 12.1.3

lee_sutcliffe · Answer

You will need to determine the best settings for HSTS for your organisation however this is an example taken from the OWASP Cheat Sheet:https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.mdThis example will check if the HSTS header exists, if it doesn't it will be inserted. You may wish to change the logic a bit and remove the header if it does exist to ensure consistency.  when HTTP_RESPONSE {
    if {!([HTTP::header exists "Strict-Transport-Security"])} {
        HTTP::header insert name "Strict-Transport-Security" value "Strict-Transport-Security: max-age=86400; includeSubDomains"
    }
}Let me know how you get onLee

Forum Discussion

How to configure F5 virtual servers to ensure HSTS-compliant headers for URL are included URL

1 Reply

Recent Discussions

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Related Content

BIG-IP BGP Routing Protocol Configuration And Use Cases

Getting Started with BIG-IP Next: Configuring Instance High Availability

Certificate Expiry Email alert configuration

F5 BIG-IP SSL Orchestrator Configuration with Advanced WAFaaS

APM Configuration to Support Duo MFA using iRule