Difference between revisions of "F5 Big IP HSTS"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 +
set it for a redirect
 +
```
 +
HTTP::respond 301 Location "https://www.example.com[HTTP::uri]" Strict-Transport-Security "max-age=31536000"
 +
 +
default { HTTP::respond 301 Location "https://www.example.com[HTTP::uri]" Strict-Transport-Security "max-age=31536000"; persist none }
 +
```
 +
 +
301 redirect
 +
https://support.f5.com/csp/article/K30114265
 +
 +
VS response
 +
https://support.f5.com/csp/article/K68657325
 +
 +
 
https://hstspreload.org/
 
https://hstspreload.org/
  

Latest revision as of 04:02, 16 August 2022

set it for a redirect 

HTTP::respond 301 Location "https://www.example.com[HTTP::uri]" Strict-Transport-Security "max-age=31536000"

default { HTTP::respond 301 Location "https://www.example.com[HTTP::uri]" Strict-Transport-Security "max-age=31536000"; persist none }

301 redirect https://support.f5.com/csp/article/K30114265

VS response https://support.f5.com/csp/article/K68657325

https://hstspreload.org/

https://stackoverflow.com/questions/42866025/do-i-need-to-enable-hsts-in-addition-to-forcing-https-in-htaccess

https://support.f5.com/csp/article/K68657325 

nmap -p 443 --script http-security-headers 10.x.x.y

NGINX Example - 

# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self' www.google-analytics.com ajax.googleapis.com www.google.com google.com gstatic.com www.gstatic.com connect.facebook.net facebook.com;";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";

https://serverfault.com/questions/874936/adding-hsts-to-nginx-config

Retrieved from "https://tech.uvoo.io/index.php?title=F5_Big_IP_HSTS&oldid=3335"