Last Modified: May 29, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1
Fixed In:
14.1.0, 13.1.1.2
Opened: Jul 18, 2018 Severity: 3-Major
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.
Without these headers, the user agent (browser) may switch to non-secure communication.
This occurs when the following conditions are met: -- HTTP profile is configured with HSTS enabled. -- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.
None.
When the HTTP profile is configured with HSTS enabled, all APM renderer files are now sent with HSTS headers.