IIST-SV-000205 - The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS) - HSTS

Information

HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public 'Allowlist'. If the browser does not support HSTS, it will be ignored.

Solution

Using the Configuration Editor in the IIS Manager or Powershell:
Enable HSTS.
Set includeSubDomains to True.
Set max-age to a value greater than 0.
Set redirectHttpToHttps to True.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y24M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-218827r961863_rule, STIG-ID|IIST-SV-000205, STIG-Legacy|SV-109293, STIG-Legacy|V-100189, Vuln-ID|V-218827

Plugin: Windows

Control ID: c30de2360c85b8e28c722fd00b35a5054ebef1c08bdd19228641edd47b85773c