11

So, I've seen this solution (http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx) used in other answers and other sites, but I don't understand HOW the HSTS header is being added. I assume it has a lot to do with this: 

<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />

Could someone explain where "RESPONSE_Strict_Transport_Security" is coming from?

Full code:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>
John Smith
  • 167
  • 10

2 Answers2

5

I think I found it. From the "URL Rewrite Module 2.0 Configuration Reference":

If a server variable starts with "RESPONSE_", then it stores the content of an HTTP response header whose name is determined by using the following naming convention:

  1. All underscore ("_") symbols in the name are converted to dash symbols ("-").
  2. "RESPONSE_" prefix is removed

Then later in the doc:

Outbound rewrite rules in URL Rewrite Module 2.0 can be used to set new or modify existing response HTTP headers. The response HTTP headers are accessed within the outbound rules by using the same syntax as for server variables and by using the naming convention as described in Accessing Response Headers from Rewrite Rules. ... The pattern of the rewrite rule will be applied on the content of the specified response header and if the rule's pattern and optional conditions evaluates successfully then the value of that response header will be rewritten.

So the code in that example is expressing, "if the Strict-Transport-Security response header has any value (.*), including undefined, rewrite the value to max-age=31536000 (if the condition is met).

Johann
  • 4,107
  • 3
  • 40
  • 39
  • I think the .* also matches if the header didn't have any value or wasn't there at all. In that case the header will be added by the rule. – crokusek Feb 12 '20 at 22:05
  • @crokusek Agreed, and updated the answer to clarify. Thanks! – Johann Feb 12 '20 at 23:07
0

I can't point you to an exact source on this, but I can tell you from experimentation that "RESPONSE_Strict_Transport_Security" adds the "Strict-Transport-Security header to the response in the exact same way that "RESPONSE_Expect_Staple" adds an "Expect-Staple" header.

The following two links have some hint that we can expect the above behavior, but I've never found the documentation for how this works exactly.

https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/modifying-http-response-headers

Add custom header based on file type

cl0rkster
  • 359
  • 5
  • 14