Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-218827 | IIST-SV-000205 | SV-218827r695271_rule | Low |
| Description |
|---|
| HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored. |
| STIG | Date |
|---|---|
| Microsoft IIS 10.0 Server Security Technical Implementation Guide | 2021-03-24 |
Details
| Check Text ( C-20299r695269_chk ) |
|---|
| Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Click on HSTS. Verify “Enable” is checked, and Max-Age is set to something other than “0”. Verify “IncludeSubDomains” and “Redirect HTTP to HTTPS” are checked. Click "OK". If HSTS has not been enabled, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable. The recommended max age is 8 minutes (480 seconds) or greater. Any value greater than 0 is not a finding. If the version of Windows Server does not natively support HSTS, this is not a finding. |
| Fix Text (F-20297r695270_fix) |
|---|
| Enable HSTS via IIS Manager or Powershell. |