HTTP Load Balancer: | F5 Distributed Cloud Ideas and Feature Requests

API Docs Knowledge Base Training

HTTP Load Balancer: HSTS response header is missing includeSubdomains

Best practices are to include the includeSubdomains directive in HSTS header. When HSTS is enabled on an HTTP load balancers, includeSubDomains is missing from Strict-Transport-Security response header.

Reference links:
https://datatracker.ietf.org/doc/html/rfc6797
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

Joseph Cunningham
Jun 24 2025

Mesh / General

Comments (1)
Votes (3)

Attach files

Enter a subject

Guest commented

21 Jul 18:13

I agree that an option should be available to add includeSubDomains to HSTS. But it must not be mandatory, and should not be the default for existing sites. There are subdomains that do not support HTTPS which would be broken if includeSubDomains were added to our current LBs.

Attachments Open full size

© 2022 F5, Inc. All rights reserved | Trademarks | Policies | Privacy | California Privacy | Do Not Sell My Personal Information