Search code examples
asp.net-mvcsecurityiisiis-8.5hsts

URL Rewrite for HSTS

I am trying to write HSTS rewrite rules in the <system.webServer> section of the web.config file

<rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^test\.test\.test$" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://test.test.test/{R:1}"
              redirectType="Permanent" />
        </rule>
      </rules> 
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
          </conditions>
          <action type="Rewrite"  value="max-age=31536000; includeSubDomains; preload"  />
        </rule>
      </outboundRules>
</rewrite>

I can see these redirect and rewrite rules in IIS but not sure why Strict-Transport-Security header is not present while checking via Dev tools F12 also the website is fully functional

I know there is another way to add custom headers in web.config but by looking into couples of posts here on SO, it doesn't look like a recommended approach.

Can anyone tell me what wrong am I doing here ?

Solution

  • I don’t think your “HTTP to HTTPS redirect” rule is correct. Please open fail request tracing to see if it takes effect. Because HTTPS’s value is only On or Off, it always failed when I tested the pattern. More server variables can refer to this.

    <rewrite>
  <rules>
    <rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="Off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://test.test.test/{R:1}"
          redirectType="Permanent" />
    </rule>
  </rules> 
  <outboundRules>
    <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      </conditions>
      <action type="Rewrite"  value="max-age=31536000; includeSubDomains; preload"  />
    </rule>
  </outboundRules>

    When I changed the pattern, everything goes well. Strict-Transport-Security header can be find in response header. enter image description here

    There are two another ways that Microsoft recommends to add custom headers.One is set custom header in HTTP Response Headers module. This way is fast and simple.Refer to this. Another one is custom filters. Here are some example code.

    public class CustomFilterAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        //add in your custom headers
        filterContext.HttpContext.Response.AddHeader("Access-Control-Allow-Origin", "*");
        filterContext.HttpContext.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type");
        filterContext.HttpContext.Response.AddHeader("Access-Control-Allow-Methods", "GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS");

        base.OnActionExecuting(filterContext);
    }

    public void OnException(ExceptionContext filterContext)
    {
      //do some cool exception handling here
    }
}