HTTP Strict Transport Security

The LoadMaster can set HTTP Strict Transport Security (HSTS) by injecting the necessary header into every server response.

Some items to note before proceeding are listed below:

  • For SSL-based services, SSL Acceleration must be enabled to perform the header injection
  • Ensure that the entire site is available via HTTPS as returning clients will no longer request insecure HTTP connections
  • Ensure all sub-domains are available via HTTPS before setting the includeSubDomains flag
  • A valid SSL certificate is required. A self-signed certificate cannot be used.

The instructions below assume that an SSL Virtual Service, with SSL Acceleration enabled, is already configured and working. For documentation regarding the creation of the service see: SSL Accelerated Services.

First, configure the content rule:

  1. In the main menu of the LoadMaster Web User Interface (WUI), select Rules & Checking > Content Rules.
  2. Click the Create New button.


  3. Specify a Rule Name.
  4. Change Rule Type to Add Header.
  5. In Header Field to be Added, enter Strict-Transport-Security.
  6. In Value of Header Field to be Added, enter max-age=<time>.
    <time> is a value in seconds up to a maximum of 31536000. Refer to the notes below for additional options in this field.
  7. Click the Create Rule button.

Now, apply this rule to the Virtual Service by following the steps below in the WUI:

  1. Go to Virtual Services > View/Modify Services.
  2. Click Modify on the Virtual Service to add HSTS to.
  3. Expand the Advanced Properties section.
  4. Click Show Header Rules.
  5. Under Response Rules, select the rule created above from the drop-down list.
  6. Click the Add button.

There are several options for the value of the Strict-Transport-Security header. The only mandatory value is max-age. The possible header values are:

  • max-age=: This value tells the browser how long (in seconds) to remember the site's HSTS policy. Take caution when entering large values for max-age because infrequent visitors to your site may experience issues if you relax your SSL policies in the future.
  • includeSubDomains: This will include all sub-domains in the HSTS policy as well. Before enabling includeSubDomains, also consider the impact of any existing DNS Canonical Name (CNAME) records for Content Delivery Networks (CDNs), email services, or other third party services. Since includeSubDomains will force such CNAME subdomains to https://.
  • preload: This gives the sites permission to be pre-loaded from the pre-load list. To be included on the pre-load list you must submit your site here: hstspreload.appspot.com.

 

Was this article helpful?

1 out of 1 found this helpful

Comments

Avatar
itis

I've recently been doing some testing with HSTS headers and i think i have just spotted a slight gap in the method described above. I believe that if you have ESP configured for a virtual service this is not applied until after the pre auth is performed.

Avatar
Andres Garcia de Alba

Hello itis,

You are correct. If ESP is enabled, the user must first be authenticated before any traffic is processed by the virtual service (this includes content rules).