0

I have been looking for how to enable HSTS on ASP.NET application. Finally found a way but I'm a bit confused with the value of tags. Please prefer the XML below, does the values in parentheses indicate that I should replace it with my value or are those a value themself?

In case if this a wrong or inappropriate way to enable HSTS than any other way is also welcome.

<rewrite>
  <rules>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
          redirectType="Permanent" />
    </rule>
  </rules>
  <outboundRules>
    <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security"
          pattern=".*" />
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      </conditions>
      <action type="Rewrite" value="max-age=expireTime" />
    </rule>
  </outboundRules>
</rewrite>
Amir
  • 28
  • 12
  • The rule names are self-explaining. – Lex Li Jan 23 '20 at 18:59
  • 1
    In my opinion. there is no need to modify the url rewrite rule, it works well. Besides, I suggest you could refer to below [article](https://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx) to know how it work. – Brando Zhang Jan 24 '20 at 02:31

0 Answers0