|Finding ID||Version||Rule ID||IA Controls||Severity|
|HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored.|
|Microsoft IIS 10.0 Server Security Technical Implementation Guide||2022-12-09|
|Check Text ( C-20299r810854_chk )|
| Access the IIS 10.0 Web Server. |
Open IIS Manager.
Click the IIS 10.0 web server name.
Open on Configuration Editor under Management.
For the Section, navigate to system.applicationHost/sites.
Expand siteDefaults and HSTS.
If enabled is not set to True, this is a finding.
If includeSubDomains is not set to True, this is a finding.
If max-age is not set to a value greater than 0, this is a finding.
If redirectHttpToHttps is not True, this is a finding.
If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable.
If the version of Windows Server does not natively support HSTS, this is not a finding.
|Fix Text (F-20297r802885_fix)|
| Using the Configuration Editor in the IIS Manager or Powershell: |
Set includeSubDomains to True.
Set max-age to a value greater than 0.
Set redirectHttpToHttps to True.