Make sense, yes the header is telling the backend servers to maintain a secure session, we recently moved to F5 from a different vendor and it would appear that the header variable (ASP server variable) may be displayed differently. The team is checking using something like the following:
if Request.ServerVariables("SSL_ENV")="On" then
When I dump the REQUEST in the iRule I see the following:
SSL_ENV: On
It appears F5 is appending the variable with a :, but if I check the value on the F5 in an iRule (e.g., if it exists), the boolean will return true if I specify variable = "On", but the code doesn't see that. Not sure if the : is the culprit or what.
Regarding the RESPONSE yes you are correct, there is no client side work going on, this is all on the backend for each request that comes through.