HTTP Strict Transport Security (HSTS)

HSTS is a mechanism aimed to mitigate risks of downgrade attacks (https:// to http://) such as SSL Stripping. To enable HSTS, you just need to add a particular string to HTTP header sent by the server.

Once a header with HSTS directive is received, a browser will automatically change any insecure requests (http://) to secure (https://)ones, in case a client attempts to establish a further connection with the website. In case of any issues during session establishment, the connection should result in a non-recoverable error.

  1. Open “IIS Manager” and select the website you would like to apply HSTS for.
  2. Double-click on the “HTTP Response Headers” shortcut:

    Hardening_5.jpg

  3. Click on “Add” on the right side of “Actions” menu.
  4. Enter “Strict-Transport-Security” in the “Name” field
  5. Enter “max-age=[time_in_seconds]” in the Value field, for example:

    max-age=31536000

    (31536000 seconds it’s about 1 year)

  6. Optionally add “includeSubDomains” in the “Value” field if you would like to apply HSTS policy for subdomains of your domain name, as well as for the main domain name.

    If you would like to include it, “max=age” and “includeSubDomains” directives should be delimited with a semicolon:

    max-age=31536000; includeSubDomains

    Hardening_6.jpg

  7. Click “Ok”.
Note that HSTS header will only work on the server using an SSL certificate issued by a trusted Certificate Authority, please refer to this article.

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close