Information
HTTP Strict Transport Security (HSTS) allows a site to inform the user agent to communicate with the site only over HTTPS. This header takes two parameters: max-age, 'specifies the number of seconds, after the reception of the STS header field, during which the user agent regards the host (from whom the message was received) as a Known HSTS Host [speaks only HTTPS]'; and includeSubDomains. includeSubDomains is an optional directive that defines how this policy is applied to subdomains. If includeSubDomains is included in the header, it provides the following definition: this HSTS Policy also applies to any hosts whose domain names are subdomains of the Known HSTS Host's domain name.
Rationale:
HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. HSTS relies on the User Agent/Browser to enforce the required behavior. All major browsers support it. If the browser doesn't support HSTS, it will be ignored.
When a browser knows that a domain has enabled HSTS, it does two things:
Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.
Removes the ability for users to click through warnings about invalid certificates.
A domain instructs browsers that it has enabled HSTS by returning an HTTP header over an HTTPS connection.
Impact:
The user agent will only be able to communicate with the site over HTTPS.
Solution
Any value greater than 0 meets this recommendation. The examples below are specific to 8 minutes but can be adjusted to meet your requirements.
To set the HTTP Header at the server level using an AppCmd.exe command, run the following command from an elevated command prompt:
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /+'customHeaders.[name='Strict-Transport-Security',value='max-age=480; preload']'
To set the HTTP Header and include subdomains at the server level using an AppCmd.exe command, run the following command from an elevated command prompt:
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /+'customHeaders.[name='Strict-Transport-Security',value='max-age=480; includeSubDomains; preload']'
To set the HTTP Header at the Website level using an AppCmd.exe command, run the following command from an elevated command prompt:
%systemroot%\system32\inetsrv\appcmd.exe set config '<em>Website'</em> -section:system.webServer/httpProtocol /+'customHeaders.[name='Strict-Transport-Security',value='max-age=480; preload']'
To set the HTTP Header and include subdomains at the Website level using an AppCmd.exe command, run the following command from an elevated command prompt:
%systemroot%\system32\inetsrv\appcmd.exe set config '<em>Website'</em> -section:system.webServer/httpProtocol /+'customHeaders.[name='Strict-Transport-Security',value='max-age=480; includeSubDomains; preload']'