A module for IIS which enables HTTP Strict Transport Security compliant with the HSTS Draft Specification (RFC 6797).
Version 2.0 of the module has been released. It is completely rewritten as a native module. It can now be configured to do a redirect for insecure connections.
Whilst it is simple to add a custom header to an IIS site, there is no simple way to add the HSTS header in a way that is compliant with the draft specification (RFC 6797
). Specifically from
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
An additional driver for such a module is the seriousness of attack vectors such as
. It is hoped that simplicity of installation and configuration will avoid any excuse for not implementing the most effective defence against such attacks.
The source code has been moved to GitHub as of version 2.0
Thanks to Phill from Dionach
for the fantastic
IIS extension which is, aside from a great extension, one of the best references for developing a native IIS module.
Thanks also to everyone that has taken the time to reported issues and suggest improvements.