msa msa - 3 months ago 40
ASP.NET (C#) Question

Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles

How can I turn on HTTP Strict Transport Security (HSTS) for Azure WebRoles?

Answer

There is an IIS module which enables HSTS compliant with the HSTS Draft Specification (RFC 6797); you can found it here https://hstsiis.codeplex.com/

DON'T TRY THIS:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

because this will include the STS header in HTTP responses over non-secure transport.

Comments