How To Setup HSTS Response Header Via Web.Config

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version: 9.0.2 and below. HSTS is enabled in 9.1 out of the box.



    This article is to inform how to set up HSTS response headers using the web.config files of the IIS directories.


    1. Open up IIS and right click on your Default Web Site. 

    2. From here, right click on web.config and open it up in your favorite administrative editing tool.  I will be using Notepad++.

    3. Paste the following command in as shown.

      <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
      <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      <action type="Rewrite" value="max-age=31536000" />

      Once that is set, you're done!  You now have enabled HSTS!
    0 out of 0 found this helpful



    Please sign in to leave a comment.