Forum Discussion

saidshow's avatar
saidshow
Icon for Cirrus rankCirrus
Oct 31, 2019

HSTS / ASM connection drops

Hi All,

 

We currently implement HSTS as an iRule on the F5, we also decrypt and inspect traffic with ASM. There are discussions internally on our side about adding HSTS to the web server responses on the actual server rather than from the F5. If we were to do this, is it possible/likely that F5 ASM decrypting the traffic will then result in connection drops?

 

Thank you

  • No, I have enabled HSTS in F5 irule and vip has tagged with ASM policy. No issue found so far.

    • saidshow's avatar
      saidshow
      Icon for Cirrus rankCirrus

      , that is what we have presently also and it works fine. Since we are looking at placing the HSTS in the app, the tunnel will be longer however the tunnel will need to be broken for ASM inspection - thus my expectation that this may cause a problem.

  • No. I have not faced this issue. However will suggest you to validate the HSTS setting in Test environment or non business hour (Prod Application) to 100% sure.

    • saidshow's avatar
      saidshow
      Icon for Cirrus rankCirrus

      Thanks . In our TEST environment I have HSTS setup on the F5. If the business does decide to do the HSTS in the app then we will certainly start in the TEST environment and monitor.

      To confirm, you are using ASM, ASM is working as expected and HSTS is enabled in code rather than on the F5?