locked
HSTS Support for Azure websites RRS feed

  • Question

  • Is HSTS support available for Azure websites? We need to enable HSTS for our website to ensure all client browsers only use HTTPS to connect to the website.
    Friday, May 30, 2014 9:44 AM

Answers

  • With help from Azure prosupport I've been able to enable HSTS on our website.

    The solution is adding a string of code to your web.config:

    <configuration> <system.webServer>
    <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000" /> </customHeaders> </httpProtocol>
    <system.webServer>
    </configuration>

    A test with www.ssllabs.com now shows HTTP Strict Transport Security is enabled.

    • Marked as answer by BSUR Friday, May 30, 2014 2:43 PM
    Friday, May 30, 2014 2:43 PM

All replies

  • With help from Azure prosupport I've been able to enable HSTS on our website.

    The solution is adding a string of code to your web.config:

    <configuration> <system.webServer>
    <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000" /> </customHeaders> </httpProtocol>
    <system.webServer>
    </configuration>

    A test with www.ssllabs.com now shows HTTP Strict Transport Security is enabled.

    • Marked as answer by BSUR Friday, May 30, 2014 2:43 PM
    Friday, May 30, 2014 2:43 PM
  • Hi BSUR,

    Thanks for sharing, It will be very beneficial for other community members who have similar questions. If you have any difficulty in future, welcome to our forum again.

    Best Regards,

    Jambor


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Saturday, May 31, 2014 1:20 AM
  • The solution is adding a string of code to your web.config:

    From what I've read, that solution isn't valid. See the discussion at: http://stackoverflow.com/questions/21887524/enable-http-strict-transport-security-hsts-in-azure-webroles

    Robert MacLean - www.sadev.co.za

    Wednesday, June 25, 2014 7:08 AM
  • This is not an appropriate solution if your site allows HTTP. (If you're site only accepts HTTPS, it's probably OK).

    See this write-up by Scott Hanselman: http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx

    Thursday, September 10, 2015 1:06 PM