A few days ago I was reading about HSTS (HTTP Strict Transport Security) and I was looking for an easier way to implement it on a IIS (Internet Information Service 8) host.
With just a few searchs on google, I got some answers…
Some seem easier, some seem wrong, doesn’t matter, I was testing everything to check what was right and good solution.
For one day I thought I got the right one, but I was very, very wrong, let me explain why…
To make my story a little bit short, let’s go to the facts:
I found this project HTTP Strict Transport Security IIS Module (18.104.22.168).
Reading the project description give some confidence that they know what they are doing…
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
Well, sounds good, just a module with a installer (+1 for the manager inside the IIS). Pretty easy, right? 😉
The result you can see below:
What can we learn from that experience?
- Easier don’t means better.
- Always monitor your changes.
So, I gave up on that module and start looking for any other workaround.
Mixing a few information I finally got to a simple Outbound rule using the URL Rewrite.