NOTICE
Due to lack of time, this project is no longer maintained. If you are interested in taking over ownership of the project, please contact me.
Project Description
A module for IIS which enables HTTP Strict Transport Security compliant with the HSTS Draft Specification (RFC 6797).
Version 2.0
Version 2.0 of the module has been released. It is completely rewritten as a native module. It can now be configured to do a redirect for insecure connections.
Justification
Whilst it is simple to add a custom header to an IIS site, there is no simple way to add the HSTS header in a way that is compliant with the draft specification (RFC 6797). Specifically from section 7.2:
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
An additional driver for such a module is the seriousness of attack vectors such as sslstrip. It is hoped that simplicity of installation and configuration will avoid any excuse for not implementing the most effective defence against such attacks.
Source Code
The source code has been moved to GitHub as of version 2.0.
Further Reading
Thanks
Thanks to Phill from Dionach for the fantastic Strip Headers IIS extension which is, aside from a great extension, one of the best references for developing a native IIS module.
Thanks also to everyone that has taken the time to reported issues and suggest improvements.
Due to lack of time, this project is no longer maintained. If you are interested in taking over ownership of the project, please contact me.
Project Description
A module for IIS which enables HTTP Strict Transport Security compliant with the HSTS Draft Specification (RFC 6797).
Version 2.0
Version 2.0 of the module has been released. It is completely rewritten as a native module. It can now be configured to do a redirect for insecure connections.
Justification
Whilst it is simple to add a custom header to an IIS site, there is no simple way to add the HSTS header in a way that is compliant with the draft specification (RFC 6797). Specifically from section 7.2:
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.
An additional driver for such a module is the seriousness of attack vectors such as sslstrip. It is hoped that simplicity of installation and configuration will avoid any excuse for not implementing the most effective defence against such attacks.
Source Code
The source code has been moved to GitHub as of version 2.0.
Further Reading
- HTTP Strict Transport Security Draft Specification
- OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security
- OWASP wiki HSTS page
Thanks
Thanks to Phill from Dionach for the fantastic Strip Headers IIS extension which is, aside from a great extension, one of the best references for developing a native IIS module.
Thanks also to everyone that has taken the time to reported issues and suggest improvements.
