13

How can I turn on HTTP Strict Transport Security (HSTS) for Azure WebRoles?

Mahmoud Samy
  • 2,822
  • 7
  • 34
  • 78
  • What is your project? MVC? Web-forms? – trailmax Feb 24 '14 at 21:10
  • have a look on my recent write-up http://tech.trailmax.info/2014/02/implemnting-https-everywhere-in-asp-net-mvc-application/ might be helpful for your goals. – trailmax Feb 25 '14 at 14:03
  • This solution conflict with the HSTS specs. Review section 7.2 http://tools.ietf.org/html/rfc6797#section-7.2 – Mahmoud Samy Feb 25 '14 at 16:06
  • HSTS specs. section 7.2 says: If an HSTS Host receives an HTTP request message over a non-secure transport, it SHOULD send an HTTP response message containing a status code indicating a permanent redirect, such as status code 301. – Mahmoud Samy Feb 25 '14 at 16:07
  • 1
    So you are after a redirecting filter that sends 301 for non secure requests? If you include these details, perhaps it would be easier to get an answer, rather than point people to RFC – trailmax Feb 25 '14 at 16:11
  • 2
    Related: http://serverfault.com/questions/417173/enable-http-strict-transport-security-hsts-in-iis-7 – Jon Schneider Jul 06 '15 at 15:09

2 Answers2

31

The accepted answer is confusing and the correct answer (on ServerFault) is hidden in the comments, so I'll just recap it quickly here. Basically this is what you want to do:

  1. Redirect all HTTP requests to HTTPS
  2. Add the Strict-Transport-Security header to all HTTPS requests

The appropriate web.config would look like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

If you want to comply with HSTS preload you'll need includeSubDomains and preload in the Strict_Transport_Security header too. Here's my full rewrite configuration, including apex redirection (I'm a yes-www guy) and easy local development setup (no HTTPS on localhost):

<rewrite>
  <rules>
    <rule name="Redirect to HTTPS" stopProcessing="true">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll">
        <add input="{SERVER_NAME}" pattern="^localhost$" negate="true" />
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
    <rule name="Redirect to www" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="^yourdomain\.com" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://www.yourdomain.com/{R:1}" 
           redirectType="Permanent" />
    </rule>
  </rules>
  <outboundRules>
    <rule name="HSTS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      </conditions>
      <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
    </rule>
  </outboundRules>
</rewrite>

Of course, switch yourdomain with your actual domain.

Community
  • 1
  • 1
Ohad Schneider
  • 36,600
  • 15
  • 168
  • 198
  • Consider adding `includeSubDomains` https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet – nmit026 Feb 12 '17 at 21:15
  • @et I'm already using it... look at the full rewrite configuration at the bottom. – Ohad Schneider Feb 13 '17 at 08:46
  • Is there a way to make this return 308 instead of 301? I have API clients sending POST requests and sending a 301 causes them to use a GET to the alternate address instead of a POST (which doesn't work since I never see the original POST to process). My understanding is 308 implies 'keep verb' AND permanent redirect (as opposed to temporary), but I can't see how to do that with the url rewrite. – Yort Mar 08 '17 at 02:21
  • 1
    @Yort looks like you're out of luck: `redirectType` – Specifies the status code to use during redirect: 301 – Permanent, 302 – Found, 303 – See other, 307 – Temporary (https://www.iis.net/learn/extensions/url-rewrite-module/url-rewrite-module-configuration-reference). – Ohad Schneider Mar 09 '17 at 22:51
  • 1
    That's what I feared. Thanks for confirming. I may need to resort to a custom asp.net filter in my app I guess. Shame, I liked this solution. – Yort Mar 11 '17 at 01:30
  • 1
    Great solution. I'm using it on an Azure App Service and it works fine. – Augusto Barreto Apr 24 '17 at 21:32
  • Thanks for this answer. If we want to use this for a site on a subdomain (e.g. `shop.mysite.com`) do I simply remove the `Redirect to www` rule? – Jake May 01 '17 at 05:04
  • 1
    @Jake not necessarily, that rules would only redirect anything that starts with `mysite.com` to `www.mysite.com`. Hence, `shop.mysite.com` (or any other subdomain) would not be affected. – Ohad Schneider May 01 '17 at 09:15
  • @OhadSchneider This is pretty much what I have implemented, but am having an issue with the fact I don't know the domain and that I need to make sure I don't redirect subdomains to the www version. I've tried to explain on this question: https://stackoverflow.com/questions/44910233/iis-url-rewrite-rules-www-ssl-web-config Any chance you can advise? – David Hamilton Jul 04 '17 at 19:27
  • This solution requires an IIS extension: the URL Rewrite Module https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module. – Polyfun Aug 06 '18 at 08:50
8

There is an IIS module which enables HSTS compliant with the HSTS Draft Specification (RFC 6797); you can found it here https://hstsiis.codeplex.com/

DON'T TRY THIS:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

because this will include the STS header in HTTP responses over non-secure transport.

Otto Barrows
  • 505
  • 1
  • 3
  • 15
  • 3
    Then, how DO you install it? Can I install the HSTS-IIS-Module-2.0.0.msi file in Azure? Or do I copy the .dlls to my bin folder for my ASP.NET MVC 5 application? – PussInBoots Jun 09 '15 at 09:42