1

I am implementing HSTS. The check on https://hstspreload.org/ tells me that it's all good but I serve the HSTS header over HTTP which is unnecessary.

Warning: Unnecessary HSTS header over HTTP The HTTP page at www.domain.com sends an HSTS header. This has no effect over HTTP, and should be removed.

Now, I don't see it as a big problem but the pedantic nature inside me wants to fix it. I saw this thread successfully resolving it but I want to ask how can I achieve this on my IIS. I am running an IIS on Windwos. Any help is reallly appreciated

[EDIT] Some people misunderstood my question so sorry about that. What hstspreload website suggests is that you should only serve the HSTS header over https:// and that it useless to serve it on http:// requests. So my question is **"How do I only serve the header on https:// and not on http:// requests. I have implemented the HSTS header through IIS web.config. **

Djongov
  • 195
  • 2
  • 13

1 Answers1

-1

It depend on how did you generate the HSTS header.

Case 1:The header is generated by your application like asp.net core.

Then you could just remove useHSTS from your application

Case 2: The header is generated by IIS custom response header

Please remove it from your web.config->httpprotocol/customheaders section.

Case 3: IIS 10 HSTS has been enabled.

You could disable it from applicationhost.config->sites/site/HSTS. Set it to false.

URL rewrite can be used to add reponse header or rewrite its value. But it can't be used to remove the whole header.

Jokies Ding
  • 3,374
  • 1
  • 5
  • 10
  • hey Jokies, I think you misunderstood me. I don't want to remove HSTS. I just want to stop serving the header for http:// requests and only over https:// – Djongov Mar 06 '20 at 13:52