HTTP Strict Transport Security (HSTS)

Setting up HSTS on IIS

For instructions on how to set up HSTS on other servers, you can check the "How to enable HSTS on third-party servers" article.

HSTS is a mechanism aimed to mitigate risks of downgrade attacks (https:// to http://) such as SSL Stripping. To enable HSTS, you just need to add a particular string to HTTP header sent by the server.

Once a header with HSTS directive is received, a browser will automatically change any insecure requests (http://) to secure (https://)ones, in case a client attempts to establish a further connection with the website. In case of any issues during session establishment, the connection should result in a non-recoverable error.

Open “IIS Manager” and select the website you would like to apply HSTS for.
Double-click on the “HTTP Response Headers” shortcut:
Click on “Add” on the right side of “Actions” menu.
Enter “Strict-Transport-Security” in the “Name” field
Enter “max-age=[time_in_seconds]” in the Value field, for example:
max-age=31536000
(31536000 seconds it’s about 1 year)
Optionally add “includeSubDomains” in the “Value” field if you would like to apply HSTS policy for subdomains of your domain name, as well as for the main domain name.
If you would like to include it, “max=age” and “includeSubDomains” directives should be delimited with a semicolon:
max-age=31536000; includeSubDomains
Click “Ok”.

Note that HSTS header will only work on the server using an SSL certificate issued by a trusted Certificate Authority, please refer to this article.

Associated articles

Hardening SSL/TLS configuration on IIS 8.5

Updated

11/8/2023

Viewed

43791 times