Adding the Strict-Transport-Security Header in HTTP Responses

Owned by Agat Support
Feb 20, 2019
1 min read

HTTP Strict Transport Security (HSTS) is a web security policy mechanism. This mechanism is important for the following reasons:

  • It is necessary to protect secure HTTPS websites against downgrade attacks.
  • It considerably simplifies protection against cookie hijacking.
  • It allows web servers to declare which web browsers (or other complying user agents) should interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

The server communicates the HSTS Policy to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent shall access the server in a secure-only fashion.

To configure HSTS, do as follows:

  1. Edit Web.config.
  2. Uncomment the <add name="Strict-Transport-Security"…/> node.