I'm having a very weird issue. I have a WAF that sits in front of some portals (Citrix Netscalers) that my users use to gain access to their office computers and sits in front of some web servers (IIS and Apache).
About a year ago, we configured HSTS for all sites and portals and SSL Labs was showing an A+ for all.
After introducing the WAF, my sites are still getting an A+ but my portals (Netscalers) are only getting an A because my HSTS headers are not recognized. I am able to see the headers when tracking the requests in Chrome but for some reason SSL Labs isn't picking up on them.
When tracking the network requests in Chrome I see:
1. user browses to https://portal.company.com
2. A 302 is returned and the user is redirected to https://portal.company.com/vpn/index.html
3. A 200 is then returned and the HSTS headers are returned.
This is consistent for traffic going through the WAF and traffic going directly to the Netscaler. The only difference is that SSL Labs doesn't see the HSTS headers for some reason when going through the WAF.
Is this a bug? Misconfiguration? I can see the headers, why can't SSL Labs?