implement hsts iis

We can implement HSTS using multiple approaches.

Approach 1:

PRE-REQUISITES: URL Rewrite module has to be installed from the below link

https://www.microsoft.com/en-in/download/details.aspx?id=7435

Add the below code to web.config

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

    <system.webServer>

        <rewrite>

            <rules>

                <rule name="HTTP to HTTPS redirect" stopProcessing="true">

                    <match url="(.*)" />

                    <conditions>

                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />

                    </conditions>

                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"

                        redirectType="Permanent" />

                </rule>

            </rules>

            <outboundRules>

                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">

                    <match serverVariable="RESPONSE_Strict_Transport_Security"

                        pattern=".*" />

                    <conditions>

                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />

                    </conditions>

                    <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload"  />

                </rule>

            </outboundRules>

        </rewrite>

    </system.webServer>

</configuration>

Approach 2:

Add the below code in global.asax

protected void Application_BeginRequest()

{

    switch (Request.Url.Scheme)

    {

        case "https":

            Response.AddHeader("Strict-Transport-Security", "max-age=31536000");

            break;

        case "http":

            var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery;

            Response.Status = "301 Moved Permanently";

            Response.AddHeader("Location", path);

            break;

    }

}

Approach 3:

This is one of the simplest methods, but has a lot of limitations and ideally not used. Here is how we do it:

PRE-REQUISITES: HTTP Redirect module is installed and the website has a valid HTTPS binding in place.

Launch the IIS Manager.

Go to the HTTP Redirect module.

Fill the details as per the requirement as shown below:

We have to add HTTP Response Headers separately as explained below

Click on HTTP Response Headers

Click on Add... in the Actions panel.

Enter the following values in the Add Custom HTTP Response Headers dialog box :<

Name: Strict-Transport-Security

Value: max-age=31536000

Close the IIS Manager after confirmation.

Testing HSTS:

Method 1:

We can check HSTS status using Qualys SSL Labs.

Go to the below url

https://www.ssllabs.com/ssltest/index.html

Inside the Hostname textbox, paste the required website to be tested for HSTS.

Besides the overall score, which is calculated based on a variety of indexes, we need to scroll the result page, once the analysis is completed, down to Protocol Details subsection and locate Strict Transport Security (HSTS) item in front of which there would be the actual result of checking against HSTS.

If HSTS is enabled then, it will display HSTS Yes with age as shown in above figure.

Method 2:

To test the result of our new header we simply reload our website using a non-secure URL. Upon inspecting the Network tab within the Developer Console in Chrome we can see that the browser is issuing a 307 internal redirect or 301 moved permanently.

MAX-AGE IN HSTS:

HSTS settings include a “max-age” option, which tells the browser how long to cache and remember the settings before checking again.

Testing Max-age:

Type chrome://net-internals/#hsts in chrome browser, it will display the below screen.

Under Query domain section, enter Domain name and click on Query it will display HSTS details for that particular site as shown below.