Adding HSTS Headers to ESP challange

0

I've recently been doing some testing with HSTS headers and i think i have just spotted a slight gap in the method suggested here https://support.kemptechnologies.com/hc/en-us/articles/203915119-How-can-the-LoadMaster-set-HTTP-Strict-Transport-Security

If you have ESP configured for a virtual service this is not applied until after the pre auth is performed.

3 comments

Avatar
0
Jonathan Kopf

There is a limitation with the response content rules that they only apply to server responses. As the ESP authentication occurs within the LoadMaster prior to contacting the server the response rule will not apply until after the user has authenticated.

However since HSTS is designed to effect subsequent visits to the site, not the current session, you would still have the same results as long as the user is able to successfully log in. To catch these first time users who have not yet seen the HSTS flag, a traditional HTTP to HTTPS redirect on the load balancer is recommended whenever HSTS is used.

Avatar
0
itis

thanks for the response Jonathan i was able to confirm that the site i was testing against returned the HSTS headers correctly once logged in. However using something like ssllabs.com server test which seems to be coming the defacto standard it is obviously not able log in to the tested site so it doesn't see the HSTS headers

I guess this moves to a feature request then it would be nice to be able to add HSTS headers to the ESP pages so it is presented to the user on first connection regardless of whether they log in or not.

Avatar
0
jb

A late reply to this thread, but I think it adds something: 

I was playing with this too. It seems kemp added an option to the SSL Properties "Strict Transport Security Header". 
Using this instaid of manually adding the header yourself does show to unauthenticated users when using the ESP feature. But it doesn't help for a Qualys labs rating as the used time in the option is too low (and you can't modify it)