Bug ID 793149: Adding the Strict-transport-Policy header to internal responses

Last Modified: Sep 11, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5, 13.1.0,,,,,,,,, 13.1.1,,,,,, 13.1.3, 14.1.0,,,,,,, 14.1.2, 15.0.0, 15.0.1

Opened: Jun 13, 2019
Severity: 3-Major


Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.


Responses arrives to the browser without the Strict-transport-Policy header.


- ASM is provisioned with CAPTCHA/CSI challenge enabled or - DoS is provisioned with CAPTCHA/CSI enabled or - Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.


Create an iRule to add the header to the response.

Fix Information


Behavior Change