Enable Strict transport security MVC

Question

I want to enable strict transport security. My website is HTTPS enabled. Below is my code to enable HSTS.

<system.webServer>
    <httpProtocol>
      <customHeaders>
     
          <add name="X-Frame-Options" value="SAMEORIGIN" />
          **<add name="Strict-Transport-Security" value="max-age=31536000"/>**
         .....
        </customHeaders>
    </httpProtocol>

Is above setting is enough to make strict transport security enable or do i also need to add below setting ie.

<rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
              redirectType="Permanent" />
        </rule>
      </rules> 
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security"
              pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000" />
        </rule>
      </outboundRules>
    </rewrite> 

If both setting are mandatory then what is the need for rewrite can we enable HSTS by only <add name="Strict-Transport-Security" value="max-age=31536000"/> or by only rewrite.

Why rewrite is required.

This site says to add rewrite alogin with

<add name="Strict-Transport-Security" value="max-age=31536000"/>

Answer 1

This header forces the browser to use HTTPS. If the application has a HTTP link given somewhere or if the user tries to enter the URL with HTTP, the browser will redirect them to HTTPS. To use HSTS, the site need a valid SSL certificate. The rewrite is not mandatory, but its good to have. Because, if the user first enters the site with HTTPS, then whenever they come to the site, the user will be automatically redirected until expiry. Also the max age updates on each visit. But if user enters once in HTTPS mode, the HSTS may not work until they use the site in HTTPS once. Its better to use the rewrite.

<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=xxxxxx"/>
</customHeaders>
</httpProtocol>
</system.webServer>

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security