Scribd
Upload
209 views3 pages

How To Enforce HTTP Strict Transport Security (HSTS) On A Virtual Server

The document describes how to enforce HTTP Strict Transport Security (HSTS) on an F5 BIG-IP virtual server. It provides instructions for configuring HSTS using the BIG-IP configuration utility for versions 12.0.0 and later, and for versions prior to 12.0.0 using iRules. The procedure forces compliant clients to only use HTTPS for the specified domain.

Uploaded by

Elaouni Abdessamad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
209 views3 pages

How To Enforce HTTP Strict Transport Security (HSTS) On A Virtual Server

The document describes how to enforce HTTP Strict Transport Security (HSTS) on an F5 BIG-IP virtual server. It provides instructions for configuring HSTS using the BIG-IP configuration utility for versions 12.0.0 and later, and for versions prior to 12.0.0 using iRules. The procedure forces compliant clients to only use HTTPS for the specified domain.

Uploaded by

Elaouni Abdessamad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

09/04/2021 How to enforce HTTP Strict Transport Security (HSTS) on a virtual server

AskF5 Home / K68657325

K68657325: How to enforce HTTP Strict Transport Security (HSTS)


on a virtual server

Support Solution

Original Publication Date: Aug 15, 2019


Updated Date: Jan 29, 2021

Description
Configuring HTTP Strict Transport Security (HSTS) on an LTM virtual server. You should consider using this
procedure under the following conditions:

You want to protect against HTTP downgrade attacks (SSL stripping attacks) by requiring all traffic to
use HTTPS.
You want to protect against mixed content on your website. HSTS automatically upgrades fetches to
HTTPS in situations where a domain has mixed content.

You can configure the BIG-IP system to insert an HTTP Response 'Strict-Transport-Security' response header
to enforce HTTP Strict Transport Security. In versions prior to BIG-IP 12.0.0, this is achieved through using a
custom iRule. Starting in BIG-IP 12.0.0, you can create a custom HTTP Profile with 'HTTP Strict Transport
Security' Enabled.

Environment
The virtual server in question must have a Client SSL Profile applied.

Cause
None

Recommended Actions
Configuring HSTS using the BIG-IP Configuration utility (BIG-IP 12.0.0 and later)
Configuring HSTS using the BIG-IP Configuration utility (BIG-IP prior to 12.0.0)

Con guring HSTS using the BIG-IP Con guration utility (BIG-IP 12.0.0 and later)
The following procedure allows you to enable HSTS.

https://support.f5.com/csp/article/K68657325 1/3
09/04/2021 How to enforce HTTP Strict Transport Security (HSTS) on a virtual server

Impact of procedure: Performing the following procedure will force HSTS-compatible clients to request only
HTTPS pages from your website. If your site requires non-HTTPS content to be served, some resources may
become unavailable.

1. Log in to the Configuration utility.


2. Go to Local Traffic > Profiles.
3. From the Services menu, select HTTP.
4. Click Create.
5. Enter the name for the HTTP profile.
6. In the HTTP Strict Transport Security section, check the Enabled box for Mode to enable HSTS.
7. Optional: Change the value of Maximum Age to a value you want. (Default: 16070400).
8. Optional: Deselect the Enabled box for Include Subdomains to not include includeSubDomains in
the Strict-Transport-Security HTTP Response Header.
Note: The following Preload option is not available for versions prior to 13.0.0. This option is added for
versions 13.0.0 and later.

9. Optional: Check the Enabled box for Preload to include ; preload in the Strict-Transport-Security HTTP
Response Header.
10. Click Update.
11. Associate the HTTP profile with the virtual server.

Con guring HSTS using the BIG-IP Con guration utility (BIG-IP prior to 12.0.0)
Prior to BIG-IP 12.0.0, you could not configure HSTS in an HTTP Profile. This functionality can be achieved
only through using an iRule.

Impact of procedure: Performing the following procedure forces HSTS-Compatible clients to request only
HTTPS pages from your website. If your site requires non-HTTPS content to be served, some resources may
become unavailable.

1. Log in to the BIG-IP Configuration utility.


2. Go to Local Traffic > iRules.
3. Click Create.
4. In the Name box, type a name for the iRule.
5. In the Definition box, enter the HSTS iRule you want.

For example: The following iRule responds with a Strict-Transport-Security Header with a Max
Age of 16070400 seconds. Apply to all Sub Domains and add the HSTS host and its subdomains
to the browser's HSTS preload list of sites that are considered HTTPS only.
when HTTP_RESPONSE_RELEASE {
if { !([HTTP::header exists "Strict-Transport-Security"])} {
HTTP::header insert "Strict-Transport-Security" "max-age=16070400;
includeSubdomains; preload"
}
}

Example: The following iRule will respond with a Strict-Transport-Security HTTP Header with a
Max Age of 16070400 seconds and apply to all Sub Domains:
when HTTP_RESPONSE_RELEASE {
if { !([HTTP::header exists "Strict-Transport-Security"])} {
HTTP::header insert "Strict-Transport-Security" "max-age=16070400;
includeSubdomains"
}
}

https://support.f5.com/csp/article/K68657325 2/3
09/04/2021 How to enforce HTTP Strict Transport Security (HSTS) on a virtual server

6. Click Finished.

Apply the iRule to one or more virtual servers

Additional Information
None

Related Content
K40243113: Overview of the HTTP profile
K30114265: Configuring HTTP 301 redirect to preserve HSTS headers

F5 Support engineers who work directly with customers to resolve issues create this content. Support Solution
articles give you fast access to mitigation, workaround, or troubleshooting suggestions.
Applies to:

Product: BIG-IP, BIG-IP LTM


15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.X.X, 10.X.X

https://support.f5.com/csp/article/K68657325 3/3

You might also like