IIST-SV-000205 - The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS)

Information

HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public 'Allowlist'. If the browser does not support HSTS, it will be ignored.

Solution

Using the Configuration Editor in the IIS Manager or Powershell:
Enable HSTS.
Set includeSubDomains to True.
Set max-age to a value greater than 0.
Set redirectHttpToHttps to True.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y23M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-218827r879887_rule, STIG-ID|IIST-SV-000205, STIG-Legacy|SV-109293, STIG-Legacy|V-100189, Vuln-ID|V-218827

Plugin: Windows

Control ID: b5628480c5a2194e25350d959550efd528752feb3856b007f552bfeab85d0298