Enable HTTP Strict Transport Security (HSTS)
HSTS helps protect websites against man-in-the-middle attacks by informing a browser that it should contact the website only through HTTPS connections and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
On-premise CSM customers need to enable HSTS, but the process is different depending on which version of Internet Information Services (IIS) you have.
Earlier Versions of IIS 10.0 1709
Before IIS 10.0 version 1709, the process to enable HSTS requires one of the two following configurations:
- HTTP Redirect Module + Custom Headers
- URL Rewrite Module
HTTP Redirect Module + Customer Headers
Before IIS 10.0, use the HTTP Redirect Module to configure settings to redirect client requests to a new location. See https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpredirect/. Use two separate websites, one for HTTP and the other for HTTPS, to avoid an infinite redirect loop.
For more details on this configuration, see Solution 1: HTTP Redirect Module + Custom Headers in the Microsoft documentation: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts#challenges-on-enabling-hsts-before-iis-100-version-1709.
URL Rewrite Module
Before IIS 10.0, install the URL Rewrite Module and configure rewrite rules for a single website with both HTTP and HTTPS bindings. See https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-the-url-rewrite-module. You can specify the HTTP and HTTPS redirection by an inbound rule and you can add the STS header to the HTTPS replies by an outbound rule.
For more details on this configuration, see Solution 2: URL Rewrite Module in the Microsoft documentation: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts#challenges-on-enabling-hsts-before-iis-100-version-1709.
IIS 10.0 Version 1709 Native HSTS Support
For IIS 10.0 and later, HSTS is supported natively. You can enable HSTS at site-level by configuring the attributes of the <hsts>
element under each <site>
element. See https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts.
For more details on this configuration, see IIS 10.0 Version 1709 Native HSTS Support in the Microsoft documentation: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts#iis-100-version-1709-native-hsts-support.