Monday, 5 October 2015

How to enable HSTS in IIS / Azure



Before proceeding read more about hsts at http://blog.arunkumarpalaniappan.me/2015/09/http-strict-transport-security-hsts.html


In this post we will go through the steps to enable HSTS in IIS or Azure Web Applications

First locate web.config in C:\inetpub\wwwroot (if you use IIS)  or /site/wwwroot (In Azure web Applications), if no such file is found ,Create new file named web.config


Add the following content to the file

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

save and replace with existing web.config

Now check the http://{URL} in  the browse, you will automatically redirected to https://{URL}, Great HSTS is sucessfully implemented in IIS / Azure.

No comments:

Post a Comment