The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
An XCCDF Rule
Description
<VulnDiscussion>HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-218827r961863_rule
- Severity
- Low
- References
- Updated
Remediation - Manual Procedure
Using the Configuration Editor in the IIS Manager or Powershell:
Enable HSTS.
Set includeSubDomains to True.
Set max-age to a value greater than 0.
Set redirectHttpToHttps to True.