Ssl – HTTP Strict Transport Security (HSTS), Azure and HTTP Strict Transport Security IIS Module

azurehttpsiisssltls

Question: How do you properly install and configure HTTP Strict Transport Security (HSTS) in an Azure website?

Apparently for IIS the method to use is to install this module: http://hstsiis.codeplex.com/

The problem is that, according to the documentation, you need to install several .dll's in different places (HSTS-IIS-Module-2.0.0.msi). Unfortunatelly that doesn't seem possible in an Azure website environment (How to install IIS module in Azure website?)? Using a virtual machine would probably work but my question targets a regular Azure website/webapp (ASP.NET MVC 5 Application).

Best Answer

UPDATE:

If you are running ASP.NET, you want to install NWebsec. It will allow you to configure HSTS but also Content-Security-Policy and other headers related to OWASP Secure Headers Project.

This solution was covered by Scott Hanselman in his blog (source at the bottom of the answer).

Basically, HSTS is just an HTTP header. But you only want to send it when you are in HTTPS. This will then lock your site in HTTPS for the max-age specified.

Here's what should be in the web.config of your application:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Source

Related Topic