HTTP Load Balancer: HSTS response header is missing includeSubdomains
Best practices are to include the includeSubdomains directive in HSTS header. When HSTS is enabled on an HTTP load balancers, includeSubDomains is missing from Strict-Transport-Security response header.
Reference links:
https://datatracker.ietf.org/doc/html/rfc6797
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
-
Joseph Cunningham
- Jun 24 2025
Related ideas
This would be very helpful, as-is the feature must be disabled and custom response headers have to be configured to achieve this (leaving it enabled and using an Append option with custom response headers doesn't work as expected). As-is the "Add HSTS Header" is confusingly useless in environments where includeSubDomains is necessary and support points us to vague articles like this as an answer/workaround rather than addressing the feature itself - https://my.f5.com/manage/s/article/K000147825
I agree, this option was present on bigip and is missing on XC.
I agree that an option should be available to add includeSubDomains to HSTS. But it must not be mandatory, and should not be the default for existing sites. There are subdomains that do not support HTTPS which would be broken if includeSubDomains were added to our current LBs.