Adding HSTS Headers to ESP challange


4 comments

Avatar

Permanently deleted user

There is a limitation with the response content rules that they only apply to server responses. As the ESP authentication occurs within the LoadMaster prior to contacting the server the response rule will not apply until after the user has authenticated.

However since HSTS is designed to effect subsequent visits to the site, not the current session, you would still have the same results as long as the user is able to successfully log in. To catch these first time users who have not yet seen the HSTS flag, a traditional HTTP to HTTPS redirect on the load balancer is recommended whenever HSTS is used.

0

Avatar

itis

thanks for the response Jonathan i was able to confirm that the site i was testing against returned the HSTS headers correctly once logged in. However using something like ssllabs.com server test which seems to be coming the defacto standard it is obviously not able log in to the tested site so it doesn't see the HSTS headers

I guess this moves to a feature request then it would be nice to be able to add HSTS headers to the ESP pages so it is presented to the user on first connection regardless of whether they log in or not.

0

Avatar

jb

A late reply to this thread, but I think it adds something: 

I was playing with this too. It seems kemp added an option to the SSL Properties "Strict Transport Security Header". 
Using this instaid of manually adding the header yourself does show to unauthenticated users when using the ESP feature. But it doesn't help for a Qualys labs rating as the used time in the option is too low (and you can't modify it)

0

Avatar

Madelyn eachern

Enable the modification of response headers. Uncomment the following Load Module directive for the mod_headers module in the httpd.conf file: LoadModule headers_module modules/mod_headers.so.

Define the HSTS policy for clients. Make the following updates in the httpd. conf file: DQ Fan Feedback

 

0

Please to leave a comment.

Didn't find what you were looking for?