Learn more about enforcing HSTS in IIS. Our IIS Support team is here to help you with your questions and concerns.

Enforcing HSTS IIS

Enforcing HSTS in IIS involves configuring our web server to send HSTS headers to web browsers. Additionally, it instructs browsers to only connect to our website via HTTPS.

This boosts the security of our web traffic by preventing downgrade attacks. Furthermore, it ensures the communication with our website is encrypted.

Let’s take a look at how to enforce HSTS in IIS:

1. To begin with, open the IIS Manager on the server.
2. Then, choose the website for which we want to enforce HSTS in the Connections pane.
3. Next, we have to double-click “HTTP Response Headers” in the website’s features pane.
4. After that, click “Add…” in the Actions pane to add a new HTTP Response Header.
5. Now, set the following values for the HSTS header in the dialog box:
   • Name: Enter “Strict-Transport-Security”.
   • Value: Set the value of the header, which includes:
     • max-age: It is the time in seconds that the browser should remember to enforce HTTPS.
     • includeSubDomains: If we want to include all subdomains under the HSTS policy, add this directive.
     • preload: This lets our domain to be included in browser HSTS preload lists.
6. Then, click OK to save the configuration.
7. Before enforcing HSTS, we have to test the configuration to ensure it doesn’t cause any issues. We can use online tools to check the HSTS policy and submit the domain for inclusion in browser preload lists.
8. Finally, restart the IIS server for the changes to take effect.

After the above steps, we have to monitor the website for any issues, especially during the initial rollout.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

In brief, our Support Experts demonstrated how to enforce HSTS in IIS.