Knowledge Base

Support Policies

How To Setup HSTS Response Header Via Web.Config

SecureAuth IdP Version: 9.0.2 and below. HSTS is enabled in 9.1 out of the box.



This article is to inform how to set up HSTS response headers using the web.config files of the IIS directories.


  1. Open up IIS and right click on your Default Web Site. 

  2. From here, right click on web.config and open it up in your favorite administrative editing tool.  I will be using Notepad++.

  3. Paste the following command in as shown.

    <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
    <action type="Rewrite" value="max-age=31536000" />

    Once that is set, you're done!  You now have enabled HSTS!
Have more questions? Submit a request


Please sign in to leave a comment.