Bug ID 866685: Empty HSTS headers when HSTS mode for HTTP profile is disabled

Last Modified: May 27, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.1.0, 15.1.0.1

Fixed In:
15.1.0.2, 15.0.1.3, 14.1.2.5

Opened: Jan 06, 2020
Severity: 3-Major

Symptoms

HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Impact

Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Conditions

This occurs when the following conditions are met: -- HTTP profile is configured with HSTS mode=disabled (which it is by default). -- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Workaround

1. Enable HSTS mode for the HTTP profile. 2. Use an iRule to remove the empty HSTS header from responses: when HTTP_RESPONSE_RELEASE { if { [HTTP::header value "Strict-Transport-Security"] eq "" } { HTTP::header remove "Strict-Transport-Security" } }

Fix Information

When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.

Behavior Change