Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles

Tags:

security

asp.net

iis

azure

How can I turn on HTTP Strict Transport Security (HSTS) for Azure WebRoles?

like image 886
Mahmoud Samy Avatar asked Feb 19 '14 17:02

Mahmoud Samy

People also ask

How do I enable HSTS on Azure?

In the Azure Portal navigate to -> Your Function App -> Platform Features -> Custom Domain and set HTTPS Only to the desired value (On/Off).

How do I enable HTTP Strict Transport Security HSTS?

​​ Enable HSTS Select your website. Go to SSL/TLS > Edge Certificates. For HTTP Strict Transport Security (HSTS), click Enable HSTS.

How do you check HSTS is enabled or not?

There are a couple easy ways to check if the HSTS is working on your WordPress site. You can launch Google Chrome Devtools, click into the “Network” tab and look at the headers tab. As you can see below on our Kinsta website the HSTS value: “strict-transport-security: max-age=31536000” is being applied.

1 Answers

The accepted answer is confusing and the correct answer (on ServerFault) is hidden in the comments, so I'll just recap it quickly here. Basically this is what you want to do:

  1. Redirect all HTTP requests to HTTPS
  2. Add the Strict-Transport-Security header to all HTTPS requests

The appropriate web.config would look like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

If you want to comply with HSTS preload you'll need includeSubDomains and preload in the Strict_Transport_Security header too. Here's my full rewrite configuration, including apex redirection (I'm a yes-www guy) and easy local development setup (no HTTPS on localhost):

<rewrite>
  <rules>
    <rule name="Redirect to HTTPS" stopProcessing="true">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll">
        <add input="{SERVER_NAME}" pattern="^localhost$" negate="true" />
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
    <rule name="Redirect to www" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="^yourdomain\.com" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://www.yourdomain.com/{R:1}" 
           redirectType="Permanent" />
    </rule>
  </rules>
  <outboundRules>
    <rule name="HSTS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      </conditions>
      <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
    </rule>
  </outboundRules>
</rewrite>

Of course, switch yourdomain with your actual domain.

like image 106
Ohad Schneider Avatar answered Sep 22 '22 07:09

Ohad Schneider
Sign in to Comment

Related questions

C# attribute to check whether one date is earlier than the other
Modal jQuery dialog hidden behind overlay in ASP.net
how to combine firstname and lastname in SQL and search with LIKE
Database insert error: "string or binary data would be truncated"
__doPostBack is undefined in IE11
Unhandled exception that caused the application to crash with "EventType clr20r3, P1 w3wp.exe" in the log, but no details there
Is there a function called anytime ANY page is loaded in your application?
Linq Orderby random ThreadSafe for use in ASP.NET
"<" in a text box in ASP.NET --> how to allow it?
ASP.NET MVC - Trouble passing model in Html.ActionLink routeValues
TextChanged event function not working
LINQ to create int array of sequential numbers
Adding custom attributes to an asp:CheckBox control
Getting error while redirecting 'Response is not available in this context'
ASP.Net MVC C# Chrome not showing date in edit mode
how to adjust "is a type but is used like a variable"?
ASP .net current physical location
Wrap text within a asp:Button
Unable to cast object of type 'ASP._Page_Areas_Admin__ViewStart_cshtml' to type 'System.Web.WebPages.StartPage'
ForEach to Trim string values in string array

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!