LogoDOCUMENTATION

SELECT PRODUCT DOCUMENTATION

Sitefinity CMSSitefinity InsightSitefinity CloudKnowledge Base
Security
Web security module
Web security settings
Authentication
Users
Roles
Permissions
Authentication settings
Create a custom membership provider
Implement an ASP.NET SQL membership provider
Customize the email notification for password change
Best practices for Authentication
Troubleshooting Authentication
HomeWeb security settings Enable HTTP Strict Transport Security (HSTS)

Enable HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is an optional security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, it prevents any communication to the specified domain from being sent over HTTP and instead, sends it over HTTPS. It also prevents HTTPS click-through prompts on browsers.

Open the web.config file and perform the following transformations:

XML
<!-- Add the custom header, by adding the following: -->

<system.webServer>
 <httpProtocol>
   <customHeaders>
     <add name="Strict-Transport-Security" value="max-age=31536000"/>
   </customHeaders>
 </httpProtocol>
</system.webServer>

<!-- Add the URL rewrite rules, by finding <system.webServer> tag and after the handlers section, adding the following: -->

<rewrite>
 
 <rules>
   <rule name="HTTP to HTTPS redirect" stopProcessing="true">
     <match url="(.*)" />
     <conditions>
       <add input="{HTTPS}" pattern="off" ignoreCase="true" />
     </conditions>
     <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
   </rule>
 </rules>
 
 <outboundRules>
   <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
     <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
     <conditions>
       <add input="{HTTPS}" pattern="on" ignoreCase="true" />
     </conditions>
     <action type="Rewrite" value="max-age=31536000" />
   </rule>
 </outboundRules>

</rewrite>

NOTE: You are always sending the header - even when you are not under HTTPS.

The first rule is redirecting always from HTTP to HTTPS, while the second one is adding Strict-Transport-Security header.

NOTE: If you have a load-balanced environment, the HSTS header can be configured on the load balancer instead of the webserver.

Want to learn more?
Enhance your Sitefinity skills by enrolling in free training sessions. Become Sitefinity certified through Progress Education Community to strengthen your professional credentials.
course-book
Get started with Integration Hub | Sitefinity Cloud
This free lesson teaches administrators, marketers, and other business professionals how to use Sitefinity Integration Hub to create automated workflows between Sitefinity and other business systems.
course-book
Web Security for Sitefinity Administrators
This free lesson teaches administrators the basics about protecting your Sitefinity instance and your sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.
course-book
Foundations of Sitefinity ASP.NET Core Development
The free on-demand video course teaches developers how to use Sitefinity ASP.NET Core and take advantage of its decoupled architecture and modern development model.
New to Sitefinity?
Get a demoPlatform overview
Documentation
About Sitefinity
Resources
Learn
New to Sitefinity
+1-888-365-2779