IIS URL Rewrite Outbound rule server variable explanation

I have the following code-snippet for IIS.

<configuration>
 <system.webServer>
   <rewrite>
     <rules>
       <rule name="HTTPS_301_Redirect" stopProcessing="true">
         <match url="(.*)" />
         <conditions>
           <add input="{HTTPS}" pattern="^OFF$" />
         </conditions>
         <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
       </rule>
     </rules>
     <outboundRules>
       <rule name="Add_HSTS_Header" preCondition="USING_HTTPS" patternSyntax="Wildcard">
         <match serverVariable="RESPONSE_Strict-Transport-Security" pattern="*" />
         <action type="Rewrite" value="max-age=31536000" />
       </rule>
       <preConditions>
         <preCondition name="USING_HTTPS">
           <add input="{HTTPS}" pattern="^ON$" />
         </preCondition>
       </preConditions>
     </outboundRules>
   </rewrite>
 </system.webServer>
</configuration>

Found here:

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

Q1: How do you know this is the correct syntax? RESPONSE underscore Server variable (from the code-snippet above)?

serverVariable="RESPONSE_Strict-Transport-Security"

Q2: Where can I find more info about it?

Best Answer

HTTP Strict Transport Security (HSTS) is a flag that a website can set so that all further communication from supported browsers will be forced to HTTPS.

In your configuration, the flag tells browsers to only use HTTPS for your site for at least the next year. This is done through an outbound rewrite rule that adds the HSTS header to all outbound responses.

As most users type in websites as www.example.com or example.com and not https://www.example.com, this is to help users avoid using unencrypted HTTP for communication.

Best Answer

Related Solutions

IIS 7 URL rewrite rule

Iis – Using IIS URL Rewrite, how to rewrite foo.bar.com -> bar.com/theapp

Related Topic