Learn how to enable HSTS in IIS Manager or PowerShell with exact commands and settings to secure your site and enforce HTTPS quickly. Our Live Support Team is always here to help you.
How to Enable HSTS in IIS Manager or PowerShell
When it comes to securing a website, one feature that makes a big difference is HTTP Strict Transport Security (HSTS). It forces browsers to connect only via HTTPS, keeping data safe and stopping users from accidentally accessing your site over an insecure connection. Let’s break down how to enable HSTS in IIS Manager or PowerShell in a way that’s simple, accurate, and straight to the point.
Why HSTS Matters
Enabling HSTS ensures your website never loads over HTTP again. This not only prevents downgrade attacks but also builds trust among users who expect HTTPS every time they visit your site. Once enabled, browsers remember this rule for a set duration, typically one year.
Enable HSTS in IIS Manager or PowerShell
You can enable HSTS in IIS Manager or PowerShell in two ways, through the graphical interface or using PowerShell commands. Both methods achieve the same goal but cater to different preferences. Let’s look at each one closely.
Using IIS Manager
Here’s how you can configure HSTS directly from the IIS interface:
1. Open Server Manager and go to Tools → Internet Information Services (IIS) Manager.
2. Choose the website where you want to enable HSTS.
3. On the right pane, click HSTS…
4. Tick the box Enable.
5. Adjust other options like max-age, includeSubDomains, and preload as per your needs.
6. Finally, confirm and apply your settings.
Once this is done, your website will start enforcing HTTPS connections automatically.
Using PowerShell
For administrators who prefer scripts or need to manage multiple sites efficiently, PowerShell is the way to go. Open PowerShell as Administrator and follow these commands exactly as shown below:
PS C:\Users\Administrator> Get-Website
Name ID State Physical Path Bindings
---- -- ----- ------------- --------
Default Web Site 1 Started %SystemDrive%\inetpub\wwwroot http *:80:
RX-7.srv.world 2 Started C:\inetpub\newsite http *:80:rx-7.srv.world
# set site name you'd like to enable HSTS
PS C:\Users\Administrator> [String]$MySite = "RX-7.srv.world"
# enable HSTS for the target site
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "enabled" -AttributeValue $true
# set [max-age] of HSTS as 31536000 sec (365 days)
# for [max-age], refer to https://hstspreload.org/
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "max-age" -AttributeValue 31536000
# set [includeSubDomains] of HSTS as enabled
# this option applys to all subdomains
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "includeSubDomains" -AttributeValue $true
# set [redirectHttpToHttps] of HSTS as enabled
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "redirectHttpToHttps" -AttributeValue $true
# set [preload] of HSTS as enabled
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "preload" -AttributeValue $true
# confirm settings
PS C:\Users\Administrator> Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts"
Attributes : {enabled, max-age, includeSubDomains, preload...}
ChildElements : {}
ElementTagName : hsts
IsLocallyStored : True
Methods :
RawAttributes : {[enabled, True], [max-age, 31536000], [includeSubDomains, True], [preload, True]...}
Schema : Microsoft.Web.Administration.ConfigurationElementSchemaAfter running these commands, you’ve successfully enabled HSTS with max-age set to one year, includeSubDomains activated, and automatic redirection from HTTP to HTTPS.
Secure Your Website Today!
Final Check
Once you enable this, always verify it’s functioning properly. You can test your domain on hstspreload.org
to ensure your configuration meets best practices.
Conclusion
Security isn’t a one-time setup, it’s a habit. Taking time to enable HSTS strengthens your site’s protection and prevents attackers from forcing unsafe connections. It’s quick to set up, and the peace of mind it brings is worth every second.
