Find out what to do if IIS HSTS is missing from the HTTPS server. Our IIS Support team is here to help you with your questions and concerns.

IIS HSTS missing from the HTTPS server

If HSTS is missing from an HTTPS server in IIS, it means that the server is not sending the HSTS header to clients’ web browsers.

According to our experts, it may be due to several reasons:

• If HSTS is not enabled in the server configuration, the server won’t send the HSTS header to clients.
• If the HSTS is not configured correctly with specific directives, it can cause issues.
• If the “Strict-Transport-Security” field is missing in the HSTS header from the server’s response, it will lead to an error.
• If our website contains mixed content, HSTS may not be enabled to avoid breaking functionality.
• If our website is behind a proxy server or uses a CDN, it may interfere with the transmission of HSTS headers.
• An invalid or expired SSL/TLS certificate can prevent HSTS from working correctly. We have to make sure that our SSL/TLS certificate is up-to-date and valid.

How to enable or correct HSTS in IIS

1. First, open the IIS Manager on our server.
2. Then, select our website in the Connections pane.
3. Next, we have to double-click HTTP Response Headers in the website’s features pane.
4. After that, click Add in the Actions pane and enter “Strict-Transport-Security” as the name.
5. Additionally, enter the HSTS directives like “max-age,” “includeSubDomains,” and “preload,” as needed.
6. Then, save the configuration.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

In brief, our Support Experts demonstrated what to do if IIS HSTS is missing from HTTPS server.