HTTP Strict-Transport-Security (HSTS) response header is used to tell browsers that the particular website should only be accessed solely over HTTPS. This is a powerful feature that is easy to implement to mitigate the risks for the communication to be intercepted by hackers and keep your website visitors safe.
Enabling HTTP Strict Transport Security on IIS
See the steps below to enable HSTS on IIS:
- Launch IIS Manager.
- On the left pane of the window, click on the website you want to add the HTTP header and double-click on HTTP Response Headers.
- In HTTP Response Headers window, click on Add… on the right pane and type in Strict-Transport-Security for Name and max-age=63072000; includeSubDomains; preload for Value and click OK.The max-age value 63072000 is the number of seconds for the duration of two years. You need to enter a value of at least one year.
Now you can verify if the header is delivered correctly by running a curl command.
curl -I https://www.itnota.com
You should see that very header listed among other entries:
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
That’s all there is to utilize HSTS on IIS.
Buy me a coffee?
If you find this post helpful and would like to buy me a coffee to support the work here, you’ll have our big thanks!
Support IT Nota: Buy me a Coffee
Further Reading
Strict-Transport-Security
How to Use cURL HTTP/2 on macOS
How to Enable Secure HttpOnly Cookies in IIS