HSTS domain

Question

not really an F5 question, but i do use an iRule to insert the header :)&nbsp;
does anyone has actual experience with HSTS* and on what level it is active? i read everywhere about the HSTS domain, so i expected that if i insert the header on a server called name.domain.ext it would be active for domain.ext. but when testing this on chrome it seems to make it active for name.domain.ext only. is this expected behavior? &nbsp;
*) http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security&nbsp;

boneyard · Answer

based on some testing (Chrome 35, FireFox 28 / 30) i determined it is set on a host basis, not domain. so when i set the header for host1.domain.ext, then it is active for host1.domain.ext only. not for domain.ext and host2.domain.ext.

Forum Discussion

HSTS domain

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Enriching AFM with public domain Threat Intelligence

to HSTS or not to HSTS

domain blocking

TMOS HSTS

Change cookie domain in HTTP::respond