In this article, we will only show simple tutorial about how to enable and serve HTTP Strict Transport Security (HSTS) response header in IIS.

Definition HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking.

HSTS improves security and prevents man-in-the-middle attacks, downgrade attacks, and cookie-hijacking.

It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

Therefore, adding a HSTS header is important after you’ve added SSL to your WordPress website, so browsers automatically request your HTTPS address.

All you need to add to your web.configconfiguration file is an Outbound Rule, to rewrite request responses and sending the HTTP Strict Transport Security response header:

<outboundRules>
  <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
    <conditions>
      <add input="{HTTPS}" pattern="on" ignoreCase="true" />
    </conditions>
    <action type="Rewrite" value="max-age=31536000" />
  </rule>
</outboundRules>

HSTS and includeSubdomains #

Do you have your SSL (TLS) certificate on your www. subdomain? Then you need to include it using includeSubdomains. The outboundRules rule then becomes:

<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
  <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
  <conditions>
    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
  </conditions>
  <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>

HSTS header in WordPress functions.php #

You can set a HSTS header through your functions.php theme file as well. For this to happen, you can hook into the send_headers action.

Use the following code in your functions.php to send a HSTS header:

<?php
add_action( 'send_headers', 'saotn_add_hsts_header' );
function saotn_add_hsts_header() {
  header( 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' );
}