Implementing HSTS in IIS 7: A Practical Guide to HTTP Strict Transport Security Configuration


3 views

HTTP Strict Transport Security (HSTS) is a crucial security mechanism that forces browsers to interact with your server exclusively through HTTPS. When working with IIS 7, proper implementation requires more than just adding a response header - it demands understanding of server-level configuration nuances.

For IIS 7, you have two primary approaches to enable HSTS:

Method 1: Using IIS Manager GUI


1. Open IIS Manager
2. Select your website
3. Double-click "HTTP Response Headers"
4. Click "Add..." in the Actions pane
5. Enter:
   - Name: Strict-Transport-Security
   - Value: max-age=31536000; includeSubDomains; preload
6. Click OK

Method 2: Using appcmd.exe

For automated deployment or server farms, use this PowerShell command:


Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/httpProtocol/customHeaders" -name "." -value @{name='Strict-Transport-Security';value='max-age=31536000; includeSubDomains; preload'}

Consider these additional parameters for enhanced security:


# Short-term testing configuration (1 hour)
Strict-Transport-Security: max-age=3600

# Production configuration with preload consideration
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

After implementation, verify with:


curl -I https://yourdomain.com

Look for the Strict-Transport-Security header in the response. For browser testing, Chrome's DevTools (Network tab) shows HSTS status clearly.

  • Ensure SSL is properly configured before enabling HSTS
  • Don't set extremely short max-age values in production
  • Remember that preload submission is irreversible
  • Test includeSubDomains carefully if using wildcard certificates

HTTP Strict Transport Security (HSTS) is a critical security feature that forces browsers to interact with your website exclusively through HTTPS. In IIS 7, enabling HSTS requires adding a specific HTTP response header. While newer IIS versions have native support, IIS 7 requires manual configuration.

For administrators preferring graphical interface:

  1. Open IIS Manager
  2. Select your website
  3. Double-click "HTTP Response Headers"
  4. Click "Add..." in the right pane
  5. Enter these values: 
    Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload

For automation or server core installations:

appcmd set config /section:httpProtocol /+"customHeaders.[name='Strict-Transport-Security',value='max-age=31536000; includeSubDomains; preload']"

Customize the HSTS header based on your requirements:

  • Basic implementation: max-age=31536000
  • With subdomains: max-age=31536000; includeSubDomains
  • Preloading: max-age=31536000; includeSubDomains; preload

After configuration, verify using:

curl -I https://yourdomain.com

Look for the Strict-Transport-Security header in the response.

If HSTS isn't working:

  • Ensure SSL is properly configured
  • Clear browser cache (HSTS is cached by browsers)
  • Verify the header appears in response using developer tools

Important notes when implementing HSTS:

  • Start with shorter max-age values (e.g., 300 seconds) for testing
  • The preload directive commits your domain to browser preload lists
  • Ensure all subdomains support HTTPS before including them