UCF STIG Viewer Logo

The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).


Finding ID Version Rule ID IA Controls Severity
V-100189 IIST-SV-000205 SV-109293r1_rule Low
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Whitelist". If the browser does not support HSTS, it will be ignored.
Microsoft IIS 10.0 Server Security Technical Implementation Guide 2020-06-08


Check Text ( C-99043r1_chk )
Access the IIS 10.0 Web Server.

Open IIS Manager.

In the "Connections" pane, select the server name.

In the "Features View" pane, open "HTTP Response Headers".

Verify an entry exists named "Strict-Transport-Security".

Open "Strict-Transport-Security" and verify the value box contains a value greater than 0.

Click "OK".

If HSTS has not been enabled, this is a finding.
The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding.
If the version of Windows Server does not natively support HSTS, this is not a finding.
Fix Text (F-105875r1_fix)
Access the IIS 10.0 Web Server.

Access an administrative command prompt and type the following commands, substituting proper domain name:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.enabled:True" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.max-age:480" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.includeSubDomains:True" /commit:apphost
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites "/[name='Contoso'].hsts.redirectHttpToHttps:True" /commit:apphost