Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles

asp.net security iis azure
17,025

Solution 1

The accepted answer is confusing and the correct answer (on ServerFault) is hidden in the comments, so I'll just recap it quickly here. Basically this is what you want to do:

  1. Redirect all HTTP requests to HTTPS
  2. Add the Strict-Transport-Security header to all HTTPS requests

The appropriate web.config would look like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

If you want to comply with HSTS preload you'll need includeSubDomains and preload in the Strict_Transport_Security header too. Here's my full rewrite configuration, including apex redirection (I'm a yes-www guy) and easy local development setup (no HTTPS on localhost):

<rewrite>
  <rules>
    <rule name="Redirect to HTTPS" stopProcessing="true">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll">
        <add input="{SERVER_NAME}" pattern="^localhost$" negate="true" />
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
    <rule name="Redirect to www" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="^yourdomain\.com" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://www.yourdomain.com/{R:1}" 
           redirectType="Permanent" />
    </rule>
  </rules>
  <outboundRules>
    <rule name="HSTS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      </conditions>
      <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
    </rule>
  </outboundRules>
</rewrite>

Of course, switch yourdomain with your actual domain.

Solution 2

There is an IIS module which enables HSTS compliant with the HSTS Draft Specification (RFC 6797); you can found it here https://hstsiis.codeplex.com/

DON'T TRY THIS:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

because this will include the STS header in HTTP responses over non-secure transport.

Share:
17,025

Related videos on Youtube

Mahmoud Samy
Author by

Mahmoud Samy

I'm a dad, software engineer, maker &amp; DIYer. I has been writing code since the 90s. Developing in everything from object oriented to functional, and working on projects from web-scale to embedded devices.

Updated on September 16, 2022

Comments

  • Mahmoud Samy
    Mahmoud Samy over 1 year

    How can I turn on HTTP Strict Transport Security (HSTS) for Azure WebRoles?

    • trailmax
      trailmax about 10 years
      So you are after a redirecting filter that sends 301 for non secure requests? If you include these details, perhaps it would be easier to get an answer, rather than point people to RFC
    • deniz
      deniz almost 9 years
  • PussInBoots
    PussInBoots almost 9 years
    Then, how DO you install it? Can I install the HSTS-IIS-Module-2.0.0.msi file in Azure? Or do I copy the .dlls to my bin folder for my ASP.NET MVC 5 application?
  • nmit026
    nmit026 about 7 years
  • Ohad Schneider
    Ohad Schneider about 7 years
    @et I'm already using it... look at the full rewrite configuration at the bottom.
  • Yort
    Yort about 7 years
    Is there a way to make this return 308 instead of 301? I have API clients sending POST requests and sending a 301 causes them to use a GET to the alternate address instead of a POST (which doesn't work since I never see the original POST to process). My understanding is 308 implies 'keep verb' AND permanent redirect (as opposed to temporary), but I can't see how to do that with the url rewrite.
  • Ohad Schneider
    Ohad Schneider about 7 years
    @Yort looks like you're out of luck: redirectType – Specifies the status code to use during redirect: 301 – Permanent, 302 – Found, 303 – See other, 307 – Temporary (iis.net/learn/extensions/url-rewrite-module/…).
  • Yort
    Yort about 7 years
    That's what I feared. Thanks for confirming. I may need to resort to a custom asp.net filter in my app I guess. Shame, I liked this solution.
  • Augusto Barreto
    Augusto Barreto about 7 years
    Great solution. I'm using it on an Azure App Service and it works fine.
  • Jake
    Jake almost 7 years
    Thanks for this answer. If we want to use this for a site on a subdomain (e.g. shop.mysite.com) do I simply remove the Redirect to www rule?
  • Ohad Schneider
    Ohad Schneider almost 7 years
    @Jake not necessarily, that rules would only redirect anything that starts with mysite.com to www.mysite.com. Hence, shop.mysite.com (or any other subdomain) would not be affected.
  • David Hamilton
    David Hamilton almost 7 years
    @OhadSchneider This is pretty much what I have implemented, but am having an issue with the fact I don't know the domain and that I need to make sure I don't redirect subdomains to the www version. I've tried to explain on this question: stackoverflow.com/questions/44910233/… Any chance you can advise?
  • Polyfun
    Polyfun over 5 years
    This solution requires an IIS extension: the URL Rewrite Module docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/…‌​.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to set a default page on Azure Web App
Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
authentication issue with an intranet website running under IIS6
IIS tilde vulnerability issue
What replaces .htaccess on IIS/ASP.NET sites?
Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
IIS reveals internal IP address in content-location field
How many domains can be bound with one SSL certificate?
What is the non-standard HTTP verb "DEBUG" used for in ASP.NET/IIS?
encrypting web.config failed error