Hello,
I have a bit of a strange issue. I think I understand what is going on, but not how to fix it.
If I run my URL though SSLLabs, it tells me that Strict Transport Security (HSTS) is set to "no."
However I have enabled HSTS using a rewrite action (and I also tried binding the options to my SSL virtual server). If I run a 'curl' to the root of my application, I don't see the HSTS headers, and I get a "403 Forbidden" response. If I run a 'curl' to a known static image or page behind my Netscaler, I get the image and the expected 'Strict-Transport-Security' headers.
I assume what's happening is that my WAF is blocking access to "/" and therefore the rewrite action is never getting hit. Is there a way that I can get SSLLabs to recognize HSTS? Do I just need to set my WAF to allow access to "/"?
Thanks!