iisweb-configiis-10hsts

HSTS and redirection IIS 10


I enabled HSTS in iis v 10.0.20348.1.

I was testing my website here https://hstspreload.org and I got this error:

Error: HTTP redirects to www first

http://example.com (HTTP) should immediately redirect to https://example.com (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.example.com/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

For redirection from non-www to www I have a rule:

<rule name="Imported Rule 1" stopProcessing="true">
  <match url="^(.*)$" ignoreCase="false" />
  <conditions logicalGrouping="MatchAll">
  <add input="{HTTP_HOST}" pattern="^www\." ignoreCase="false" negate="true" />
  </conditions>
  <action type="Redirect" url="https://www.{HTTP_HOST}{URL}" redirectType="Permanent" />
</rule>

Any help and suggestions to fix the error are welcome. Thanks.


Solution

  • It seems to be a problem caused by the execution order. Please try to implement your requirement using multiple rules in the rewrite module, something like this:

    <rule name="Redirect to HTTPS" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
            <add input="{HTTPS}" pattern="off" />
            <add input="{HTTP_HOST}" pattern="^hstspreload.org$" />
        </conditions>
        <action type="Redirect" url="https://hstspreload.org/{R:1}" redirectType="Permanent" />
    </rule>
    
    <rule name="Redirect to www on HTTPS" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
            <add input="{HTTP_HOST}" pattern="^hstspreload.org$" />
            <add input="{HTTPS}" pattern="on" />
        </conditions>
        <action type="Redirect" url="https://www.hstspreload.org/{R:1}" redirectType="Permanent" />
    </rule>