Tuesday, 15 March 2016

Enabling HSTS on IIS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

HSTS can be enabled in IIS by installing the URL Rewrite module and deploying rewrite rules.

In order to enable HSTS on IIS on a high-level summary the following configuration tasks are required:

  1. Install URL Rewrite module
  2. Deploy inbound rule that directs to a secure location (HTTPS) from insecure one (HTTP)
  3. Deploy outbound rule that adds the HTTP header for Strict-Transport-Security.
  4. Perform IISreset

In order to use URL Rewrite in IIS it is required to install the extension from the IIS Download site.

Install IIS extension URL Rewrite

Search and download the extension from http://www.iis.net/downloads, either using the Microsoft Web Platform Installer (Web PI) or download the MSI package from the Additional Downloads subsection.

Deploy inbound rule that directs to a secure location from insecure one

In IIS Manager Connections pane navigate to the Site you want to configure for HSTS. From the middle pane select URL Rewrite and open it.



In the actions pane on the right, select Add Rule(s)… and add a new blank inbound rule.



Add a rule with the following settings:


XML representation of the rule

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
                add input="{HTTPS}" pattern="off" ignoreCase="true" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                redirectType="Permanent" />
</rule>

Deploy outbound rule that adds the HTTP header for Strict-Transport-Security

In IIS Manager Connections pane navigate to the Site you want to configure for HSTS. From the middle pane select URL Rewrite and open it. In the actions pane on the right, select Add Rule(s)… and add a new blank inbound rule.


Add a rule with the following settings:


XML representation of the rule

<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
        <match serverVariable="RESPONSE_Strict_Transport_Security"
                pattern=".*" />
        <conditions>
                <add input="{HTTPS}" pattern="on" ignoreCase="true" />
        </conditions>
        <action type="Rewrite" value="max-age=31536000" />
</rule>

Restart IIS

Open an elevated command prompt and run iisreset.exe.

No comments:

Post a Comment