| title | author | description | ms.author | ms.date | msc.type |
|---|---|---|---|---|---|
HSTS settings for a Web Site <hsts> |
bangbingsyb |
Overview The <hsts> element of the <site> element configures HSTS settings for a website |
yashi |
04/16/2019 |
config |
The <hsts> element of the <site> element contains attributes that allow you to configure HTTP Strict Transport Security (HSTS) settings for a site on IIS 10.0 version 1709 and later.
Note
If the <hsts> element is configured in both the <siteDefaults> section and in the <site> section for a specific site, the configuration in the <site> section is used for that site.
| Version | Notes |
|---|---|
| IIS 10.0 version 1709 | The <hsts> element of the <site> element was introduced in IIS 10.0 version 1709. |
| IIS 10.0 | N/A |
| IIS 8.5 | N/A |
| IIS 8.0 | N/A |
| IIS 7.5 | N/A |
| IIS 7.0 | N/A |
| IIS 6.0 | N/A |
The <hsts> element of the <site> element is included in the default installation of IIS 10.0 version 1709 and later.
There is no user interface that lets you configure the <hsts> element of the <site> element for IIS 10.0 version 1709. For examples of how to configure the <hsts> element of the <site> element programmatically, see the Sample Code section of this document.
| Attribute | Description |
|---|---|
enabled |
Optional Boolean attribute. Specifies whether HSTS is enabled (true) or disabled (false) for a site. If HSTS is enabled, the Strict-Transport-Security HTTP response header is added when IIS replies an HTTPS request to the web site. The default value is false. |
max-age |
Optional uint attribute. Specifies the max-age directive in the Strict-Transport-Security HTTP response header field value. The default value is 0. |
includeSubDomains |
Optional Boolean attribute. Specifies whether the includeSubDomains directive is included in the Strict-Transport-Security HTTP response header field value. Note: Enable this attribute only if all subdomains indeed offer HTTP-based service over TLS/SSL. The default value is false. |
preload |
Optional Boolean attribute. Specifies whether the preload directive is included in the Strict-Transport-Security HTTP response header field value. Note: Enable this attribute only if the domain of the site has been submitted for inclusion in the HSTS preload list. The default value is false. |
redirectHttpToHttps |
Optional Boolean attribute. Specifies whether HTTP to HTTPS redirection is enabled (true) or disabled (false) for a site. Note: Enabling redirectHttpToHttps enforces the site-level HTTP to HTTPS redirection. When IIS redirects an HTTP request, it replaces the URI scheme with "https" and ignores the port component. Make sure that the redirection destination provides HTTP-based service over TLS/SSL on standard port 443. The default value is false. |
None.
The following configuration sample shows a web site named Contoso that has HSTS enabled with both HTTP and HTTPS bindings. The max-age attribute is set as 31536000 seconds (a year) so that the user agents will regard the host as a Known HSTS Host within a year after the reception of the Strict-Transport-Security header field. The includeSubDomains attribute is set as true to specify that the HSTS policy applies to this HSTS Host (contoso.com) as well as any subdomain (for example, www.contoso.com or marketing.contoso.com). Finally, the redirectHttpToHttps attribute is set as true so that all HTTP requests to the site will be redirected to HTTPS.
[!code-xmlMain]
The following code samples enable HSTS for a web site named Contoso with both HTTP and HTTPS bindings. The sample sets max-age attribute as 31536000 seconds (a year), and enables both the includeSubDomains and the redirectHttpToHttps attributes.
[!code-consoleMain]
Note
You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the applicationHost.config file.
[!code-csharpMain]
[!code-vbMain]
[!code-javascriptMain]
[!code-vbMain]
[!code-powershellMain]