Bug ID 793149: Adding the Strict-transport-Policy header to internal responses

Last Modified: Nov 07, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.1.0,,,,,, 14.1.2,,,,,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Jun 13, 2019

Severity: 3-Major


Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.


Responses arrives to the browser without the Strict-transport-Policy header.


- ASM is provisioned with CAPTCHA/CSI challenge enabled or - DoS is provisioned with CAPTCHA/CSI enabled or - Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.


Create an iRule to add the header to the response.

Fix Information

Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips