Configure HSTS on IIS 7/8
It is possible to configure HSTS on IIS started from version 7.
Considering that a HSTS implementation is mostly made of specific headers, optionally with a redirection, there are multiple methods to configure HSTS for IIS.
Via the GUI
Attention, it is not possible to write conditions on headers applying. HSTS specifications clearly state that it is necessary to only serve HSTS headers on HTTS and not on HTTP. This method requires using two different sites for HTTPS and for HTTP to be HSTS compliant.
To add a new header:
- Run the IIS manager.
- Select your site
- Select HTTP REsponse Headers.
- Click on Add in the Actions section.
- In the Add Custom HTTP Response Header dialog, add the following values:
- For Name: Strict-Transport-Security
- For Value: max-age=15552001; includeSubDomains; preload
It is also recommended to redirect all HTTP traffic to HTTPS.
Via the manual IIS configuration
You can more finely configure your headers and redirection by directly using the IIS configuration, especially the system.webServer section.
You can add these instructions to your system.webServer section to add the necessary HSTS headers and redirect HTTP to HTTPS:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>