Forum Discussion

saidshow_251381's avatar
saidshow_251381
Icon for Cirrostratus rankCirrostratus
Nov 13, 2017

HSTS for Custom Response page

Hi, I have HSTS enabled on a number of sites via an iRule(I have also tried on the http profile) however I have noticed that when the custom response page is tried in ASM the page does not have the HSTS header in the response. I understand that the F5 inserts the hsts information on the response from the server as it passes through the F5 back to the client but in this case the request never makes it to the server, but it does make it to the F5. The F5 blocks the requests for any number of reasons defined in the policy and responds with the custom response page. While I do see the HSTS header when browsing the site, I do not see the HSTS header when the custom response page is served.

 

Is it possible to enable HSTS for the custom response page?

 

One of our apps requires a number of parameters to be passed to it in order to load. If a user browses directly to the domain the custom response is served. As a result ssllabs scans do not detect HSTS.

 

2 Replies

  • Is it possible to enable HSTS for the custom response page?

     

    I guess you mean default response page.

     

    if you change Response Type from Default Response to Custom Response, you can add HSTS header in Response Headers field.

     

  • i have the same issue with (Strict-Transport-Security Content-Security-Policy X-Frame-Options X-XSS-Protection X-Content-Type-Options Referrer-Policy )

     

    i added the header response section but not worked :(

     

    when HTTP_RESPONSE {

     

    if { !([ HTTP::header exists "X-XSS-Protection" ])}{HTTP::header insert "X-XSS-Protection" "1; mode=block"}

     

    if { !([ HTTP::header exists "X-Frame-Options" ])} { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" }

     

    if { !([ HTTP::header exists "Strict-Transport-Security" ])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400" }

     

    if { !([ HTTP::header exists "X-Content-Type-Options" ])} { HTTP::header insert "X-Content-Type-Options" "'nosniff'" }

     

    if { !([ HTTP::header exists "content-security-policy " ])} { HTTP::header insert "content-security-policy" "" } }