One of our customers has been

Miroslaw Polski · ‎05-05-2014

Hi All!

Does anybody know whether HTTP Strict Transport Security is supported on ACE? If so, which software version supports it?

Regards,

Miro

Kanwaljeet Singh · ‎05-06-2014

Hi Miro,

I cannot find anything which mentions specifically about this in latest releases as well. But i don't think there should be a problem since it is servers which tells the client to communicate over HTTPS for whatever time. If client comes on HTTPS and there is a proper configuration in place on ACE, then it will match the condition and ACE will just treat it as normal SSL traffic.

If you are looking for ACE to insert the "strict transport security" header, i again don't see a problem with that. Is there any other expectation here from ACE are you looking for?

Regards,

Kanwal

Miroslaw Polski · ‎05-08-2014

One of our customers has been advised to have it enabled on ACE, hence my research.

I was initially looking for a command to enable HSTS, however, as found here:

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

(and customer's sites are within the same domain), it's recommended to use HTTP code 301 redirection (as it is now).

Out of curiosity, how would you insert it on ACE?

Kanwaljeet Singh · ‎05-08-2014

Hi Miro,

You can use "insert http" command under policy map once you have defined the serverfarm.

Regards,

Kanwal

Does Cisco ACE support HSTS?