How to delete duplicate HSTS header
Article ID: CTX477377
Updated On:
Description
Explain how to eliminate the duplicate HSTS header
Duplicated header HSTS
Why? it could come from a backend server, and also being applied from the ADC Vserver configuration, so we need to decide which header to keep. In this case, the client wants to delete the HSTS header coming from the server and leave only the one that the SSL profile applies to the reply to client.
Instructions
- Determine first if the header is coming from the backend server
- Without the HSTS being applied from the ADC, Go to the web page, use the developers tools of the browser > go to Network > Header > find the HSTS header
In the image below we can see 2 headers, because client was applying one from the SSL profile and one from the back end server without knowing, this is the error that you will find:
- Create the rewrite police to eliminate this header from the server reply
Action:
add rewrite action remove_header delete_http_header Strict-Transport-Security
Policy:
add rewrite policy Remove_header HTTP.RES.IS_VALID remove_header
add rewrite action remove_header delete_http_header Strict-Transport-Security
Policy:
add rewrite policy Remove_header HTTP.RES.IS_VALID remove_header
- Bind this policy to the Vserver as a response (this could be the LB, CS.. to which client is connecting, cause this policy is telling the ADC: Grab the response from server, erase the header and send the packet to client with the ADC HSTS header)
- At this point you can verify again if the header coming from the server has been eliminate(it should)
- Now enable it in the Virtual server the use of HSTS with Max age and subdomain
- You should see now just one HSTS header.
Issue/Introduction
How to delete the HSTS when you detected duplicated
Additional Information
HSTS with policy - https://support.citrix.com/article/CTX205221/how-do-i-configure-http-strict-transport-security-hsts-on-netscaler
Was this article helpful?
Yes
No
Powered by
