4

Question: How do you properly install and configure HTTP Strict Transport Security (HSTS) in an Azure website?

Apparently for IIS the method to use is to install this module: http://hstsiis.codeplex.com/

The problem is that, according to the documentation, you need to install several .dll's in different places (HSTS-IIS-Module-2.0.0.msi). Unfortunatelly that doesn't seem possible in an Azure website environment (How to install IIS module in Azure website?)? Using a virtual machine would probably work but my question targets a regular Azure website/webapp (ASP.NET MVC 5 Application).

PussInBoots
  • 199
  • 3
  • 9

1 Answers1

4

UPDATE:

If you are running ASP.NET, you want to install NWebsec. It will allow you to configure HSTS but also Content-Security-Policy and other headers related to OWASP Secure Headers Project.

This solution was covered by Scott Hanselman in his blog (source at the bottom of the answer).

Basically, HSTS is just an HTTP header. But you only want to send it when you are in HTTPS. This will then lock your site in HTTPS for the max-age specified.

Here's what should be in the web.config of your application:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Source

Maxime Rouiller
  • 191
  • Do you have an idea why the above configuration with URL rewrite rules cold not works? The test web server on http://ok01.no-ip.org/ works on Windows 10 and have the above configuration included (I commented the part with <outboundRules> to test that even Redirect not works). Which other configurations of IIS could prevent the usage of <rewrite> part not working? SSL is installed and https://ok01.no-ip.org/ works inclusive support of HTTP/2 with rating A at https://www.ssllabs.com/ssltest/. It I include HSTS via <customHeaders> I get the rating A+, but HTTP has unneeded HSTS header. – Oleg Apr 05 '16 at 10:02
  • If you are using this web.config in an ASP.NET Core application, it would not work. It would need to be configured on IIS itself if I do believe. – Maxime Rouiller Apr 05 '16 at 12:19
  • 1
    Sorry, I found the article and verified that %windir%\system32\inetsrv\rewrite.dll really was not in the Module list. I registered it using "Configure Native Module" in IIS Manager and everything work now. I tried before many different ways. The usage of IIS Manager was of case the first one. I could see that it created the same sections in web.config which you, Scott Hanselman and Doug Wilson described here. Thanks you anyway. – Oleg Apr 05 '16 at 12:25
  • So it was either the plugin was not installed or was installed and the DLL wasn't properly registered. Right? – Maxime Rouiller Apr 05 '16 at 12:39
  • Yes, something like that. URL rewrite need be not explicitly installed (or I did it for very long time). One could see the icon and configure the rules, the rules was saved in web.config, but nothing worked. I suppose that the applicationHost.config was reset by some repairing. The only real problem was that the "Web Platform Installer" don't provide repair package functionality. Probably I had to go in the list of installed software and to repair "IIS URL Rewrite Module 2". I just thought too long time, that I create wrong rule instead of trying to uninstall and install the Module. – Oleg Apr 05 '16 at 13:50
  • I'm sorry that I've disturbed you. – Oleg Apr 05 '16 at 13:52
  • No problem! I've learned something too! :) win-win – Maxime Rouiller Apr 05 '16 at 13:53