HSTS is an IETF standards track protocol and is specified in RFC 6797. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. ​HSTS improves security and prevents man-in-the-middle attacks, downgrade attacks, and cookie-hijacking. HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking. Protip: IIS 8.5 is the IIS version used in Windows Server 2012 R2, IIS 10.0 in Windows Server 2016 and up. Scott Hanselman wrote a great post on how to enable HTTP Strict-Transport-Security (HSTS) on IIS web servers, and here is some more technical information about HSTS in IIS, and other security headers… Enable and serve an HTTP Strict Transport Security (HSTS) response header in IIS 10.0 and 8.5 Set up HTTP Strict-Transport-Security ( HSTS) in Windows Server IIS 10.
0 Comments
Leave a Reply. |