Strict Transport Security (HSTS) with Redirect
search cancel

Strict Transport Security (HSTS) with Redirect

book

Article ID: 250718

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG ISG Proxy

Issue/Introduction


Is it possible for the proxy to perform a redirect and apply the HSTS header?

Using something like the following the Proxy does not seem to be adding the HSTS header when the traffic is redirected: 

<proxy>
 ALLOW url.scheme=http url.host=example.com action.Redirect_to_HTTPS_example1(yes)

define action Redirect_to_HTTPS_example1
   redirect( 302, "http://example.com(.*)", "https://example1.com/$(1)" )
 end action Redirect_to_HTTPS_example1

<proxy>
url.domain=example.com action.ControlResponseHeader_HSTS(yes)

define action ControlResponseHeader_HSTS
    set(response.x_header.Strict-Transport-Security, "max-age=300")
end action ControlResponseHeader_HSTS

Cause


The redirect is handled as an exception in the Proxy policy evaluation.

When doing the 301/302 redirect, you will see in the ptrace: 

verdict: REDIRECT(policy_redirect)

Resolution


Add the HSTS header using "exception.response.x_header.Strict-Transport-Security" 


define action ControlResponseHeader_HSTS_temp
     set(exception.response.x_header.Strict-Transport-Security, "max-age=300")
 end action ControlResponseHeader_HSTS_temp


When the 301/302 redirect happens, you will see this line in the Policy trace: 

set exception.response header 'Strict-Transport-Security'


Also, from the f12 developer tools: 

Powered by Wolken Software