UCF STIG Viewer Logo

The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).


Finding ID Version Rule ID IA Controls Severity
V-218827 IIST-SV-000205 SV-218827r810855_rule Low
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored.
Microsoft IIS 10.0 Server Security Technical Implementation Guide 2022-09-21


Check Text ( C-20299r810854_chk )
Access the IIS 10.0 Web Server.
Open IIS Manager.
Click the IIS 10.0 web server name.
Open on Configuration Editor under Management.
For the Section, navigate to system.applicationHost/sites.
Expand siteDefaults and HSTS.
If enabled is not set to True, this is a finding.
If includeSubDomains is not set to True, this is a finding.
If max-age is not set to a value greater than 0, this is a finding.
If redirectHttpToHttps is not True, this is a finding.

If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable.

If the version of Windows Server does not natively support HSTS, this is not a finding.
Fix Text (F-20297r802885_fix)
Using the Configuration Editor in the IIS Manager or Powershell:
Enable HSTS.
Set includeSubDomains to True.
Set max-age to a value greater than 0.
Set redirectHttpToHttps to True.