ADC

Configure support for HTTP strict transport security (HSTS)

Citrix ADC appliances support HTTP strict transport security (HSTS) as an in-built option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

Enable HSTS in an SSL front-end profile or on an SSL virtual server. If you enable SSL profiles, then you should enable HSTS on an SSL profile instead of enabling it on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included. For example, you can specify that subdomains for www.example.com, such as www.abc.example.com and www.xyx.example.com, can be accessed only by using HTTPS by setting the IncludeSubdomains parameter to YES.

If you access any web sites that support HSTS, the response header from the server contains an entry similar to the following:

HSTS response header

The client stores this information for the time specified in the max-age parameter. For subsequent requests to that web site, the client checks its memory for an HSTS entry. If an entry is found, it accesses that web site only by using HTTPS.

You can configure HSTS at the time of creating an SSL profile or an SSL virtual server by using the add command. You can also configure HSTS on an existing SSL profile or SSL virtual server by modifying it using the set command.

Configure HSTS by using the CLI

At the command prompt, type:

add ssl vserver <vServerName> -maxage <positive_integer> -IncludeSubdomains ( YES | NO)
set ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED )
<!--NeedCopy-->

OR

add ssl profile <name> -maxage <positive_integer> -IncludeSubdomains ( YES | NO )
set ssl profile <name> -HSTS ( ENABLED | DISABLED )

Arguments

HSTS

    State of HTTP Strict Transport Security (HSTS) on an SSL virtual server or SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client.

    Possible values: ENABLED, DISABLED

    Default: DISABLED

maxage

    Set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server.

    Default: 0

    Minimum: 0

    Maximum: 4294967294

IncludeSubdomains

    Enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

    Possible values: YES, NO

    Default: NO
<!--NeedCopy-->

In the following examples, the client must access the web site and its subdomains for 157,680,000 seconds only by using HTTPS.

add ssl vserver VS-SSL –maxage 157680000 –IncludeSubdomain YES
set ssl vserver VS-SSL –HSTS ENABLED
<!--NeedCopy-->
add sslProfile hstsprofile –HSTS ENABLED –maxage 157680000 –IncludeSubdomain YES
set sslProfile hstsprofile –HSTS ENABLED
<!--NeedCopy-->

Configure HSTS by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, select a virtual server of type SSL and click Edit.

Perform the following steps if the default SSL profile is enabled on the appliance.

  1. Select an SSL profile and click Edit.

  2. In Basic Settings, click the pencil icon to edit the settings. Scroll down and select HSTS and Include Subdomains.

    Enable HSTS

Perform the following steps if the default SSL profile is not enabled on the appliance.

  1. In Advanced Settings, select SSL Parameters.

  2. Select HSTS and Include Subdomains.

    Enable HSTS on virtual server

Support for HSTS preload

Note

This feature is available in release 12.1 build 51.x and later.

The Citrix ADC appliance supports adding an HSTS preload in the HTTP response header. To include the preload, you must set the preload parameter in the SSL virtual server or SSL profile to YES. The appliance then includes the preload in the HTTP response header to the client. You can configure this feature using both the CLI and the GUI. For more information about HSTS preload, see https://hstspreload.org/.

Following are examples of valid HSTS headers with preload:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
<!--NeedCopy-->
Strict-Transport-Security: max-age=63072000; preload
<!--NeedCopy-->

Configure HSTS preload by using the CLI

At the command prompt, type:

add ssl vserver <vServerName> -maxage <positive_integer> -preload ( YES | NO )
set ssl vserver <vServerName> -HSTS ( ENABLED | DISABLED )

<!--NeedCopy-->

OR

add ssl profile <name> -maxage <positive_integer> -IncludeSubdomains ( YES | NO ) -preload ( YES | NO )
set ssl profile <name> -HSTS ( ENABLED | DISABLED )

<!--NeedCopy-->

Configure HSTS preload by using the GUI

Perform the following steps if the default SSL profile is enabled on the appliance.

  1. Navigate to System > Profiles > SSL Profiles. Select an SSL profile and click Edit.

  2. In Basic Settings, click the pencil icon to edit the settings. Scroll down and select HSTS and Preload.

    Enable HSTS

Perform the following steps if the default SSL profile is not enabled on the appliance.

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, select a virtual server of type SSL and click Edit.

  2. In Advanced Settings, select SSL Parameters.

  3. Select HSTS and Preload.

    Enable HSTS on virtual server

Configure support for HTTP strict transport security (HSTS)