Default HSTS Settings for a Web Site <hsts>

Article
06/01/2020

Overview

The <hsts> element of the <siteDefaults> element contains attributes that allow you to configure default HTTP Strict Transport Security (HSTS) settings for a site on IIS 10.0 version 1709 and later.

Note

If the <hsts> element is configured in both the <siteDefaults> section and in the <site> section for a specific site, the configuration in the <site> section is used for that site.

Compatibility

Version	Notes
IIS 10.0 version 1709	The `<hsts>` element of the `<siteDefaults>` element was introduced in IIS 10.0 version 1709.
IIS 10.0	N/A
IIS 8.5	N/A
IIS 8.0	N/A
IIS 7.5	N/A
IIS 7.0	N/A
IIS 6.0	N/A

Setup

The <hsts> element of the <siteDefaults> element is included in the default installation of IIS 10.0 version 1709 and later.

How To

There is no user interface that lets you configure the <hsts> element of the <siteDefaults> element for IIS 10.0 version 1709. For examples of how to configure the <hsts> element of the <siteDefaults> element programmatically, see the Sample Code section of this document.

Configuration

Attributes

Attribute	Description
`enabled`	Optional Boolean attribute. Specifies whether HSTS is enabled (true) or disabled (false) for a site. If HSTS is enabled, the Strict-Transport-Security HTTP response header is added when IIS replies an HTTPS request to the web site. The default value is `false`.
`max-age`	Optional uint attribute. Specifies the max-age directive in the Strict-Transport-Security HTTP response header field value. The default value is `0`.
`includeSubDomains`	Optional Boolean attribute. Specifies whether the includeSubDomains directive is included in the Strict-Transport-Security HTTP response header field value. Note: Enable this attribute only if all subdomains indeed offer HTTP-based service over TLS/SSL. The default value is `false`.
`preload`	Optional Boolean attribute. Specifies whether the preload directive is included in the Strict-Transport-Security HTTP response header field value. Note: Enable this attribute only if the domain of the site has been submitted for inclusion in the HSTS preload list. The default value is `false`.
`redirectHttpToHttps`	Optional Boolean attribute. Specifies whether HTTP to HTTPS redirection is enabled (true) or disabled (false) for a site. Note: Enabling redirectHttpToHttps enforces the site-level HTTP to HTTPS redirection. When IIS redirects an HTTP request, it replaces the URI scheme with "https" and ignores the port component. Make sure that the redirection destination provides HTTP-based service over TLS/SSL on standard port 443. The default value is `false`.

Child Elements

None.

Configuration Sample

The following configuration sample specifies the default <hsts> options for IIS 10.0 version 1709 and later.

<system.applicationHost>
    <sites>
        <siteDefaults>
            <hsts enabled="true" max-age="31536000" includeSubDomains="true" redirectHttpToHttps="true" />
        </siteDefaults>
    </sites>
</system.applicationHost>

Sample Code

The following code samples configure the default <hsts> options for IIS 10.0 version 1709 and later.

AppCmd.exe

appcmd.exe set config  -section:system.applicationHost/sites /siteDefaults.hsts.enabled:"True" /commit:apphost
appcmd.exe set config  -section:system.applicationHost/sites /siteDefaults.hsts.max-age:"31536000" /commit:apphost
appcmd.exe set config  -section:system.applicationHost/sites /siteDefaults.hsts.includeSubDomains:"True" /commit:apphost
appcmd.exe set config  -section:system.applicationHost/sites /siteDefaults.hsts.redirectHttpToHttps:"True" /commit:apphost

Note

You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the applicationHost.config file.

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
    private static void Main()
    {
        using(ServerManager serverManager = new ServerManager())
        { 
            Configuration config = serverManager.GetApplicationHostConfiguration();
            ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
            ConfigurationElement siteDefaultsElement = sitesSection.GetChildElement("siteDefaults");
            
            ConfigurationElement hstsElement = siteDefaultsElement.GetChildElement("hsts");
            hstsElement["enabled"] = true;
            hstsElement["max-age"] = 31536000;
            hstsElement["includeSubDomains"] = true;
            hstsElement["redirectHttpToHttps"] = true;
            
            serverManager.CommitChanges();
        }
    }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample

   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
      Dim siteDefaultsElement As ConfigurationElement = sitesSection.GetChildElement("siteDefaults")

      Dim hstsElement As ConfigurationElement = siteDefaultsElement.GetChildElement("hsts")
      hstsElement("enabled") = True
      hstsElement("max-age") = 31536000
      hstsElement("includeSubDomains") = True
      hstsElement("redirectHttpToHttps") = True

      serverManager.CommitChanges()
   End Sub

End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var siteDefaultsElement = sitesSection.ChildElements.Item("siteDefaults");

var hstsElement = siteDefaultsElement.ChildElements.Item("hsts");
hstsElement.Properties.Item("enabled").Value = true;
hstsElement.Properties.Item("max-age").Value = 31536000;
hstsElement.Properties.Item("includeSubDomains").Value = true;
hstsElement.Properties.Item("redirectHttpToHttps").Value = true;

adminManager.CommitChanges();

VBScript

Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set siteDefaultsElement = sitesSection.ChildElements.Item("siteDefaults")

Set hstsElement  = siteDefaultsElement.ChildElements.Item("hsts")
hstsElement.Properties.Item("enabled").Value = True
hstsElement.Properties.Item("max-age").Value = 31536000
hstsElement.Properties.Item("includeSubDomains").Value = True
hstsElement.Properties.Item("redirectHttpToHttps").Value = True

adminManager.CommitChanges()

IISAdministration PowerShell Cmdlets

Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay

$sitesCollection = Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection
$siteDefaultsElement = Get-IISConfigElement -ConfigElement $sitesCollection -ChildElementName "siteDefaults"
$hstsElement = Get-IISConfigElement -ConfigElement $siteDefaultsElement -ChildElementName "hsts"
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "enabled" -AttributeValue $true
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "max-age" -AttributeValue 31536000
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "includeSubDomains" -AttributeValue $true
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "redirectHttpToHttps" -AttributeValue $true

Stop-IISCommitDelay
Remove-Module IISAdministration

Share via