Bug ID 565554: The [HTTP::hsts] iRule API now also supports the retrieval of the full HTTP-Strict-Transport-Security (HSTS) header

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
12.1.0, 12.1.0, 12.0.0 HF3

Opened: Jan 04, 2016
Severity: 3-Major

Symptoms

HTTP profile does not honor HSTS header for /my.policy redirect on an APM virtual server.

Impact

Functional. HSTS header is missing on APM redirect pages.

Conditions

APM,and LTM provisioned. APM virtual server with HTTP profile featuring HSTS configuration.

Workaround

An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection. DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs

Fix Information

Starting in 12.0 HF3 & 12.1 the APM Access hudfilter honors the hsts header without requiring an iRule. In affected versions an iRule can be attached to the APM virtual server to retrieve and and explicitly set the HSTS header upon URL redirection. DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs

Behavior Change

The [HTTP::hsts] iRule API now also supports the retrieval of the full HTTP-Strict-Transport-Security (HSTS) header, by using either of the following invocations: [HTTP::hsts] [HTTP::hsts value] These APIs are read-only. For writing/updating the HSTS header, the following APIs are used: HTTP::hsts mode <enable|disable> HTTP::hsts maximum-age <age> HTTP::hsts include-subdomains <enable|disable>