The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS).
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-218827 | SRG-APP-000516-WSR-000174 | IIST-SV-000205 | SV-218827r961863_rule | 2025-02-11 | 3 |
| Description |
|---|
| HTTP Strict Transport Security (HSTS) ensures browsers always connect to a website over TLS. HSTS exists to remove the need for redirection configurations. HSTS relies on the browser, web server, and a public "Allowlist". If the browser does not support HSTS, it will be ignored. |
| ℹ️ Check |
|---|
| Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Open on Configuration Editor under Management. For the Section, navigate to system.applicationHost/sites. Expand siteDefaults and HSTS. If enabled is not set to True, this is a finding. If includeSubDomains is not set to True, this is a finding. If max-age is not set to a value greater than 0, this is a finding. If redirectHttpToHttps is not True, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is Not Applicable. If the version of Windows Server does not natively support HSTS, this is not a finding. |
| ✔️ Fix |
|---|
| Using the Configuration Editor in the IIS Manager or Powershell: Enable HSTS. Set includeSubDomains to True. Set max-age to a value greater than 0. Set redirectHttpToHttps to True. |