Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 12.1.0, 12.0.0 HF3
Opened: Jan 04, 2016 Severity: 3-Major
HTTP profile does not honor HSTS header for /my.policy redirect on an APM virtual server.
Functional. HSTS header is missing on APM redirect pages.
APM,and LTM provisioned. APM virtual server with HTTP profile featuring HSTS configuration.
An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection. DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs
Starting in 12.0 HF3 & 12.1 the APM Access hudfilter honors the hsts header without requiring an iRule. In affected versions an iRule can be attached to the APM virtual server to retrieve and and explicitly set the HSTS header upon URL redirection. DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs
The [HTTP::hsts] iRule API now also supports the retrieval of the full HTTP-Strict-Transport-Security (HSTS) header, by using either of the following invocations: [HTTP::hsts] [HTTP::hsts value] These APIs are read-only. For writing/updating the HSTS header, the following APIs are used: HTTP::hsts mode <enable|disable> HTTP::hsts maximum-age <age> HTTP::hsts include-subdomains <enable|disable>