How to enable HTTP Strict-Transport-Security (HSTS) on IIS

Set up HTTP Strict-Transport-Security (HSTS) in Windows Server IIS. Scott Hanselman wrote a great post on how to enable HTTP Strict-Transport-Security (HSTS) on IIS web servers, and here is some more technical information about HSTS in IIS (and other security headers)

Enable and serve an HTTP Strict Transport Security (HSTS) response header in IIS #

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking.

​HSTS improves security and prevents man-in-the-middle attacks, downgrade attacks, and cookie-hijacking.

It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

Therefore, adding a HSTS header is important after you’ve added SSL to your WordPress website, so browsers automatically request your HTTPS address.

Read the blog post: How to enable HTTP Strict Transport Security (HSTS) in IIS7+. Basically, all you need to add to your web.config for HSTS configuration, is an Outbound Rule, to rewrite request responses and sending the HTTP Strict Transport Security response header:

<outboundRules>
	<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
		<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
		<conditions>
			<add input="{HTTPS}" pattern="on" ignoreCase="true" />
		</conditions>
		<action type="Rewrite" value="max-age=31536000" />
	</rule>
</outboundRules>

Pro Tip: While your at it, don’t forget to remove the IIS Server: response header, and ETag as well.

This may interest you:   WordPress Is the Most Attacked CMS Application

HSTS and includeSubdomains #

Do you have your SSL (TLS) certificate on your www. subdomain? Then you need to include it using includeSubdomains. The outboundRules rule then becomes:

<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
	<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
	<conditions>
		<add input="{HTTPS}" pattern="on" ignoreCase="true" />
	</conditions>
	<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>

If you include the preload flag, your site is eligible to be included in Chrome’s HSTS preload list (also used by Firefox and Safari). You’ll find more information about this in OWASP’s HSTS HTTP Strict Transport Security examples.

HSTS header in WordPress functions.php #

You can set a HSTS header in WordPress through your functions.php theme file as well. For this to happen, you can hook into the send_headers action.

Use the following code in your functions.php to send a HSTS header from WordPress:

<?php
add_action( 'send_headers', 'saotn_add_hsts_header' );
function saotn_add_hsts_header() {
	header( 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' );
}

Want to know more about SSL in WordPress? See my article SSL in WordPress: how to move WordPress to HTTPS? The definitive guide.


Show your support


If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ($5 USD for example). And please share the love and help others make use of this website. Thank you very much!


About the Author Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

follow me on:

Leave a Reply

3 Comments on "How to enable HTTP Strict-Transport-Security (HSTS) on IIS"

avatar
  Subscribe  
newest oldest most voted
Notify of
Anonymous
Guest

i love u man.. thanks!!

Chris
Guest

I’m curious about your first solution using outboundRules. What are the pros and cons to this vs your other page where you detail other options? Everything I’ve tried is producing a redirect loop except for this outboundRules way.

Also, if you could speak more to the options shown like “max-age” then that would be great.

Thanks!