HTTP Strict-Transport-Security (HSTS) response header is used to tell browsers that the particular website should only be accessed solely over HTTPS. This is a powerful feature that is easy to implement to mitigate the risks for the communication to be intercepted by hackers and keep your website visitors safe.
Enabling HTTP Strict Transport Security on IIS
See the steps below to enable HSTS on IIS:
- Launch IIS Manager.
- On the left pane of the window, click on the website you want to add the HTTP header and double-click on HTTP Response Headers.
- In HTTP Response Headers window, click on Add… on the right pane and type in Strict-Transport-Security for Name and max-age=63072000; includeSubDomains; preload for Value and click OK.The max-age value 63072000 is the number of seconds for the duration of two years. You need to enter a value of at least one year.
Now you can verify if the header is delivered correctly by running a curl command.
curl -I https://www.itnota.com
You should see that very header listed among other entries:
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
That’s all there is to utilize HSTS on IIS.