Blogginlägg

HTTP header field that enforces HTTPS on your website

Av Peter Örneholm | Blogg | 23 augusti 2014

I recently learned about HTTP Strict Transport Security (HSTS) which is basically a way of enforcing the browser to always use HTTPS for your website.

It does so by rewriting any HTTP:// URLs for your domain to use HTTPS:// before even sending the request. By doing so we ensure that no data is sent over an insecure connection. It’s supported in all modern browsers (an upcoming feature in IE12) and if used in combination with a permanent rewrite rule on your server it’s a pretty good way of ensuring that the user uses HTTPS on your website.

There are two options available:

  • max-age : Is required and specifies for how long (in seconds) the UA (browser) should rewrite the URLs to HTTPS.
  • includeSubDomains : Specifies if the browser should rewrite the URLs for all subdomains (for example www) as well.

To implement it in IIS, simply add this to your web.config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name=“Strict-Transport-Security” value=“max-age=31536000; includeSubDomains”/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

And if used together with this rewrite rule, you should be good to go:

<system.webServer>
    <rewrite>
      <rules>
        <rule name=“Enforce HTTPS” enabled=“true”>
          <match url=“(.*)” ignoreCase=“false” />
          <conditions>
            <add input=“{HTTPS}” pattern=“off” />
          </conditions>
          <action type=“Redirect” url=“https://{HTTP_HOST}/{R:1}” appendQueryString=“true” redirectType=“Permanent” />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>

For more information, Wikipedia has a great article on the subject.

Till inlägget