Windows 2025
Sponsored Link

IIS : Enable HSTS2024/12/18

 

Enable HSTS (Hypertext Strict Transport Security) for Web Sites.

For [includeSubDomains] option below, all subdomains are included in HSTS target, so you need to verify well before setting it's possible to access to all subdomains with HTTS if specify this option.

[1]

Enable SSL/TLS settings for Web Sites you's like to enable HSTS.

[2] Run PowerShell with Admin Privilege and Configure.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> Get-Website 

Name             ID   State      Physical Path                  Bindings
----             --   -----      -------------                  --------
Default Web Site 1    Started    %SystemDrive%\inetpub\wwwroot  http *:80:
RX-7.srv.world   2    Started    C:\inetpub\newsite             http *:80:rx-7.srv.world
                                                                https *:443:rx-7.srv.world sslFlags=0

# set site name you'd like to enable HSTS
PS C:\Users\Administrator> [String]$MySite = "RX-7.srv.world" 

# enable HSTS for the target site
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "enabled" -AttributeValue $true 

# set [max-age] of HSTS as 31536000 sec (365 days)
# for [max-age], refer to https://hstspreload.org/ 
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "max-age" -AttributeValue 31536000 

# set [includeSubDomains] of HSTS as enabled
# this option applys to all subdomains
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "includeSubDomains" -AttributeValue $true 

# set [redirectHttpToHttps] of HSTS as enabled
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "redirectHttpToHttps" -AttributeValue $true 

# set [preload] of HSTS as enabled
PS C:\Users\Administrator> Set-IISConfigAttributeValue -ConfigElement (Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts") -AttributeName "preload" -AttributeValue $true 

# confirm settings
PS C:\Users\Administrator> Get-IISConfigElement -ConfigElement (Get-IISConfigCollectionElement -ConfigCollection (Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection) -ConfigAttribute @{"name"=$MySite}) -ChildElementName "hsts" 

Attributes      : {enabled, max-age, includeSubDomains, preload...}
ChildElements   : {}
ElementTagName  : hsts
IsLocallyStored : True
Methods         :
RawAttributes   : {[enabled, True], [max-age, 31536000], [includeSubDomains, True], [preload, True]...}
Schema          : Microsoft.Web.Administration.ConfigurationElementSchema
IIS : Enable HSTS (GUI)
 

On GUI configuration, set like follows.

[3] Run [Start] - [Server Manager] and Click [Tools] - [Internet Information Services (IIS) Manager], and then Select a Web Site you'd like to set HSTS and Click [HSTS...] on the right pane.
[4] Check a box [Enable].
For other items, refer to [https://hstspreload.org/].
Matched Content