Auto redirect to HTTPS and add the Strict-Transport-Security header

A simple piece of code that can be added to your web.config that in IIS 7+ with URL Rewrite installed will redirect any HTTP request to HTTPS and when HTTPS add the Strict-Transport-Security header to keep future requests HTTPS.

                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    <action type="Rewrite" value="max-age=31536000" />

Leave a Reply

Your email address will not be published. Required fields are marked *