I am attempting to insert a custom response header to comply with a requirement to enable HSTS as the current layout is at risk against our cyber security audit.
I am referencing this previous StackOverflow thread as the "best answers" suggests to set the custom response header using the IIS7 Manager interface, versus the second "best answer" to be going into the web.config
file and copy and pasting code into it.
I am curious if it is still ok if I set the custom response header this way:
I am curious if it is still ok if I set the custom response header this way:
This dialogue is adding headers for all requests. But in your case, you need slightly different. You need to add HSTS only for HTTPS requests. Answer in this thread which you referred before is correct because it is setting header only if it is HTTPS request.
You can do that with IIS Manager.
1) Go to URL Rewrite 2) Click Add Rule -> Outbound rules -> Blank rule 3) Fill fields like that: