I have the following code-snippet for IIS.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTPS_301_Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add_HSTS_Header" preCondition="USING_HTTPS" patternSyntax="Wildcard">
<match serverVariable="RESPONSE_Strict-Transport-Security" pattern="*" />
<action type="Rewrite" value="max-age=31536000" />
</rule>
<preConditions>
<preCondition name="USING_HTTPS">
<add input="{HTTPS}" pattern="^ON$" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Found here:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Q1: How do you know this is the correct syntax? RESPONSE underscore Server variable (from the code-snippet above)?
serverVariable="RESPONSE_Strict-Transport-Security"
Q2: Where can I find more info about it?
Best Answer
HTTP Strict Transport Security (HSTS) is a flag that a website can set so that all further communication from supported browsers will be forced to HTTPS.
In your configuration, the flag tells browsers to only use HTTPS for your site for at least the next year. This is done through an outbound rewrite rule that adds the HSTS header to all outbound responses.
As most users type in websites as
www.example.com
orexample.com
and nothttps://www.example.com
, this is to help users avoid using unencrypted HTTP for communication.