Jump to content
Welcome to our new Citrix community!

Getting double HSTS header

William Olmstead

Recommended Posts

I am trying to update my HSTS to 31536000 but when I set it, it doubles it.  I can't find anywhere that it is being set.


# grep 15724800 ns.conf
# grep 31536000 ns.conf
add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=31536000\""


When I set this, I get the following:

curl -s -D- https://domain.com | grep Strict
Strict-Transport-Security: max-age=15724800; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains


I am trying to replace 15724800, but for some reason, it does not replace it but instead just adds a double header.  Could it be getting the lower age from the app instead of the Netscaler ?



Link to comment
Share on other sites

Hi Keith,
your ADC will append your STS Header to the response because your Rewrite Action is "Insert_HTTP_Header". If there is no company policy for special HTTP Headers (like STS, X-Frame-Options, CSP), I usually accept the setting made by the Developers, because these Headers are no default and the Developers made some mind about it before configuring it (hopefully). But if these Headers are not present, I insert them for default.


You have two possibilities to solve your problem.
1) First you can change your Rewrite Policy to something like "HTTP.REQ.HEADER("Strict-Transport-Security").EXISTS.NOT", then your Header only gets appended when it is not already set.
2) Second possibility would be to create a Rewrite Action with Type REPLACE.
--> Type: REPLACE
--> Expression to choose target location: HTTP.RES.HEADER("Strict-Transport-Security")
--> Expression: "max-age=31536000; includeSubDomains"
Rewrite Policy Expression: true

But before you start configuring your Rewrite Action/Policy, please check, that your second STS Header is set by your Developers and not by the SSL Profile bound to your Virtual Server! Sometimes you enable default settings and these default values are not present in ns.conf.


Best regards,

Link to comment
Share on other sites

I would not use a rewrite policy at all. There are HTTP profiles, and you should do it using HTTP profiles. That's what they are good for!

I guess, the server sends the first HSTS header, the NetScaler adds a second one. This would explain, why these two headers specify different sizes. NetScaler never adds a header with sizes not found in the running configuration. You could use an expression like this one to avoid duplicated headers: HTTP.RES.HEADER("Strict-Transport-Security").EXISTS.NOT.


You would have to delete the header and add a new one, if you want to change the value of the header using rewrite policies.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...