The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
An XCCDF Rule
Description
HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored.
- ID
- SV-218827r961863_rule
- Version
- IIST-SV-000205
- Severity
- Low
- References
- Updated
Remediation Templates
A Manual Procedure
Using the Configuration Editor in the IIS Manager or Powershell:
Enable HSTS.
Set includeSubDomains to True.
Set max-age to a value greater than 0.
Set redirectHttpToHttps to True.