如果https与http绑定在不同的IIS站点上,直接在https站点的web.config中添加如下配置:
<system.webServer> <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000" /> </customHeaders> </httpProtocol></system.webServer>
如果在同一个IIS站点,需要针对https响应添加如下的url重写规则(详见How to enable HTTP Strict Transport Security (HSTS) in IIS7+):
<system.webServer> <rewrite> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000" /> </rule> </outboundRules> </rewrite></system.webServer>