HTTP Strict Transport Security (HSTS) is an optional security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, it prevents any communication to the specified domain from being sent over HTTP and instead, sends it over HTTPS. It also prevents HTTPS click-through prompts on browsers.
Open the web.config file and perform the following transformations:
NOTE: You are always sending the header - even when you are not under HTTPS.
The first rule is redirecting always from HTTP to HTTPS, while the second one is adding Strict-Transport-Security header.
NOTE: If you have a load-balanced environment, the HSTS header can be configured on the load balancer instead of the webserver.
Back To Top