Would you like to learn how to enable the HSTS feature on the IIS of a Windows server? In this tutorial, we are going to show you how to enable on IIS the feature called HTTP Strict Transport Security.

• Windows 2012 R2
• Windows 2016

Hardware List:

The following section presents the list of equipment used to create this tutorial.

Every piece of hardware listed above can be found at Amazon website.

Tutorial IIS - Enable HTTP Strict Transport Security

Start the application named: IIS Manager.

Start IIS Windows

On the IIS Manager application, select your website.

On the right part of the screen, access the option named: HTTP Response Headers.

IIS response header

On the top right part of the screen, click on the Add option.

IIS Add header

To enable the HSTS feature, enter the following configuration:

• NAME: Strict-Transport-Security
• VALUE: max-age=31536000; includeSubDomains

Click on the OK button.

IIS Strict Transport Security

To test the installation, open the Chrome browser on a remote computer and enter the IP address of your web server using the HTTP protocol.

In our example, the following URL was entered in the Browser:

• http://54.189.98.159

Use the page inspection feature of the google chrome browser to verify the Headers from your server.

IIS verify HSTS

Optionally, you may use the CURL command of a Linux computer to test the HSTS installation.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Congratulations! You successfully configured the HSTS feature on the IIS server.