How do you enable HSTS on IIS with web.config? Print

  • 2

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks, such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

To enable HSTS on IIS via the web.config file, you should add a custom HTTP response header. Here's how you can do it:

  1. Open the web.config file located in the root directory of your website.

  2. Locate the <system.webServer> section. If it doesn't exist, you need to create one.

  3. Inside the <system.webServer> section, add a <httpProtocol> section with a <customHeaders> subsection.

  4. Inside <customHeaders>, add the HSTS header. The header name is Strict-Transport-Security, and the value should be max-age=31536000 for one year, for example.

Here's what the relevant part of your web.config file should look like:

<system.webServer>
  <httpProtocol>
  <customHeaders>
  <add name="Strict-Transport-Security" value="max-age=31536000"/>
  </customHeaders>
  </httpProtocol>
</system.webServer>

In the max-age=31536000 setting, 31536000 is the time in seconds that the browser should remember that this site is only to be accessed using HTTPS.

Please be aware that once a browser receives this header, the browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It will continue to do so even if you remove the HSTS header.


Was this answer helpful?

« Back