Enable HSTS with NetScaler
Written on August 3, 2016

HTTP Strict Transport Security, or HSTS, is a good way to help ensure visitors to your site do so using a secure connection. On top of this, itโ€™s a great way to ensure you get that all-important A+ score on Qualys.

If youโ€™re running a NetScaler in front of your service, you may want to configure these headers to appear care of the Virtual Server serving the content, rather than the back-end service or service group. This is quite simple using a rewrite policy.

NetScaler Rewrite Policy to enable HSTS

add rewrite action RW_ACT_HSTS insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy RW_POL_HSTS true RW_ACT_HSTS
bind lb vserver vs_remote -policy RW_POL_HSTS -priority 100 -gotoPriorityExpression END -type RESPONSE

All responses through this vServer will now have the HSTS header attached. You can (and should) change the max-age to your preferred value. Thanks to Ivan Cacic for this tip!


There's no commenting functionality here. If you'd like to comment, please either mention me (@[email protected]) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.