IIS 7.0+ example HSTS fix

GSA / https

The HTTPS-Only Standard for federal domains (M-15-13), and implementation guidance.

https://https.cio.gov

Other

248 stars 87 forks source link

Closed bandrzej closed 6 years ago

bandrzej commented 7 years ago

Submitted edit prevents HSTS being directly applied in HTTP headers against HSTS specification section 7.12:

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

konklone commented 6 years ago

@bandrzej Thanks! (And sorry for the delay, I somehow missed the notification of this issue.)

I don't have a way of testing this myself, but I'm happy to trust your work here. Thanks for the improvement!