Strict Transport Security (HSTS) with Redirect
search cancel

Strict Transport Security (HSTS) with Redirect


Article ID: 250718


Updated On:


ProxySG Software - SGOS Advanced Secure Gateway Software - ASG ISG Proxy


Is it possible for the proxy to perform a redirect and apply the HSTS header?

Using something like the following the Proxy does not seem to be adding the HSTS header when the traffic is redirected: 

 ALLOW url.scheme=http action.Redirect_to_HTTPS_example1(yes)

define action Redirect_to_HTTPS_example1
   redirect( 302, "*)", "$(1)" )
 end action Redirect_to_HTTPS_example1

<proxy> action.ControlResponseHeader_HSTS(yes)

define action ControlResponseHeader_HSTS
    set(response.x_header.Strict-Transport-Security, "max-age=300")
end action ControlResponseHeader_HSTS


The redirect is handled as an exception in the Proxy policy evaluation.

When doing the 301/302 redirect, you will see in the ptrace: 

verdict: REDIRECT(policy_redirect)


Add the HSTS header using "exception.response.x_header.Strict-Transport-Security" 

define action ControlResponseHeader_HSTS_temp
     set(exception.response.x_header.Strict-Transport-Security, "max-age=300")
 end action ControlResponseHeader_HSTS_temp

When the 301/302 redirect happens, you will see this line in the Policy trace: 

set exception.response header 'Strict-Transport-Security'

Also, from the f12 developer tools: