I have a bit of a strange issue. I think I understand what is going on, but not how to fix it.
If I run my URL though SSLLabs, it tells me that Strict Transport Security (HSTS) is set to "no."
However I have enabled HSTS using a rewrite action (and I also tried binding the options to my SSL virtual server). If I run a 'curl' to the root of my application, I don't see the HSTS headers, and I get a "403 Forbidden" response. If I run a 'curl' to a known static image or page behind my Netscaler, I get the image and the expected 'Strict-Transport-Security' headers.
I assume what's happening is that my WAF is blocking access to "/" and therefore the rewrite action is never getting hit. Is there a way that I can get SSLLabs to recognize HSTS? Do I just need to set my WAF to allow access to "/"?
Question
Ross Helfand
Hello,
I have a bit of a strange issue. I think I understand what is going on, but not how to fix it.
If I run my URL though SSLLabs, it tells me that Strict Transport Security (HSTS) is set to "no."
However I have enabled HSTS using a rewrite action (and I also tried binding the options to my SSL virtual server). If I run a 'curl' to the root of my application, I don't see the HSTS headers, and I get a "403 Forbidden" response. If I run a 'curl' to a known static image or page behind my Netscaler, I get the image and the expected 'Strict-Transport-Security' headers.
I assume what's happening is that my WAF is blocking access to "/" and therefore the rewrite action is never getting hit. Is there a way that I can get SSLLabs to recognize HSTS? Do I just need to set my WAF to allow access to "/"?
Thanks!
Link to comment
4 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now