Jump to content
Welcome to our new Citrix community!

Netscaler A+ ->Strict Transport Security (HSTS) - Invalid header

Recommended Posts

I've been using best practices to score an A+ on the https://www.ssllabs.com/ssltest/ website . I  had configured the HSTS header from Carl's article: https://www.carlstalhood.com/ssl-virtual-servers-netscaler-12/.


Unfortunately, as of late my recent SSL reports indicate the following error: Server sent invalid HSTS policy.

Link to comment
Share on other sites

  • 2 months later...

Hi achandr,

did you configure the HSTS Header in the SSL Profile, in a rewrite policy or both?


You only need to configure it once. I would recommend to use a rewrite policy and not the setting in the SSL Profile. I am quiet sure that the SSL Profile won´t check if the header exists (sent from the Backendsystem) and will add it to the existing one. Your SSL Report would show an error.


You will have the same Problem with a rewrite policy and Expression like "HTTP.REQ.IS_VALID". You should use the Expression "HTTP.RES.HEADER("Strict-Transport-Security").EXISTS.NOT". So the HSTS Header is only applied when the header is not in the Response from the Backendsystem.


Best regards,



Link to comment
Share on other sites

  • 8 months later...

I've been using 'true' as the manual rewrite policy expression with no issues for a long time, so I disagree with the above poster from my own experience.

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy enforce_STS true insert_STS_header


I'm just trying to find if there are issues or drawbacks in using the built-in method now that we're on 12.0 before I go ahead and use it instead of the rewrite method

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...