Enable HSTS with NetScaler

HTTP Strict Transport Security, or HSTS, is a good way to help ensure visitors to your site do so using a secure connection. On top of this, it’s a great way to ensure you get that all-important A+ score on Qualys.

If you’re running a NetScaler in front of your service, you may want to configure these headers to appear care of the Virtual Server serving the content, rather than the back-end service or service group. This is quite simple using a rewrite policy.

NetScaler Rewrite Policy to enable HSTS

add rewrite action RW_ACT_HSTS insert_http_header Strict-Transport-Security "\"max-age=157680000\""
add rewrite policy RW_POL_HSTS true RW_ACT_HSTS
bind lb vserver vs_remote -policy RW_POL_HSTS -priority 100 -gotoPriorityExpression END -type RESPONSE

All responses through this vServer will now have the HSTS header attached. You can (and should) change the max-age to your preferred value. Thanks to Ivan Cacic for this tip!

Written on August 4, 2016