I am attempting to enforce hsts on my Windows Server 2016 IIS 10 v14. I added the following code to my web.config:
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload"/>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
This works on most my web sites without issues, however, on two of the sites, I am getting a warning:
Warning: Unnecessary HSTS header over HTTP
The HTTP page at http://sandairephotography.com sends an HSTS header. This has no effect over HTTP, and should be removed.
How do I remove this behavior?
In my case, I followed a pre-windows server 2019 example that directed me to implement the HSTS (Strict Transport Security) via my Web sites individual web.config, as posted below. As it happens, the two Web sites that generated the Warning was already setup to use the Strict Transport Security, locally via the IIS Manager HTTP Response Header, which was the source of the Header Warning. Once I removed the entry and restarted the Web Site, the warning disappeared. Apparently, I am using the nopCommerce Web Platform (E-Commerce Template) with a theme that added the http header response entry.
I plan to post a question on the nopCommerce forum as well to determine if this is a normal behavior.