Enable HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is an optional security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, it prevents any communication to the specified domain from being sent over HTTP and instead, sends it over HTTPS. It also prevents HTTPS click-through prompts on browsers.

Open the web.config file and perform the following transformations:

NOTE: You are always sending the header - even when you are not under HTTPS.

The first rule is redirecting always from HTTP to HTTPS, while the second one is adding Strict-Transport-Security header.

NOTE: If you have a load-balanced environment, the HSTS header can be configured on the load balancer instead of the webserver.

Was this article helpful?