4

My company is using Tenable to identify security vulnerabilities. Missing HSTS was identified recently. Our server is using IIS 10.

I've added the HSTS header as outlined in multiple blogs, and questions here on SO.

My root web.config looks like this:


<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <appSettings>
        <add key="Environment" value="Local" />
    </appSettings>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect global" stopProcessing="true" >
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Problem: After the changes have been applied, Tenable is still showing a vulnerability. Further, upon inspecting a site in FireFox's dev tools, I can see the header is present, however the security tab indicates that HSTS is disabled.

Question: How do I make this change show up for Firefox and Tenable?

enter image description here

enter image description here

rogerdeuce
  • 1,471
  • 6
  • 31
  • 48
  • 1
    What is your specific version of IIS? add Strict-Transport-Security through url rewrite does not seem to be suitable for iis10, I suggest you configure it through the [ element](https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts#iis-100-version-1709-native-hsts-support), and then check if HSTS is disabled. – samwu Nov 03 '20 at 07:55
  • @samwu we're running version 10.0.18362.1. I did attempt to use IIS to set the HSTS (following your link) - this results in the same scenario outlined in the question, header is present, security tab displays "disabled". Before performing this test, I did remove the manually created root web.config. – rogerdeuce Nov 04 '20 at 17:11

1 Answers1

-1

It could also be related to preload tag, that you mentioned in the HSTS header. Are you certain that your site is already added in the preload list (maintained by google/chrome)

If you are deploying your site as sub-domain, then you may also need to add HSTS to parent domain (which is not a sub-domain) and submit for preload.

Once done you can verify and look for more details at https://hstspreload.org/

Atta H.
  • 661
  • 5
  • 11
  • I've tested excluding sub domains, preload, and both at the same time. Each time the header matches the config, but I'm left with the same tenable/ Firefox issue – rogerdeuce Nov 11 '20 at 15:45