Develop Reference

Unnecessary HSTS header over HTTP on Windows Server 2016 IIS 10

I am attempting to enforce hsts on my Windows Server 2016 IIS 10 v14. I added the following code to my web.config:
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload"/>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
This works on most my web sites without issues, however, on two of the sites, I am getting a warning:
Warning: Unnecessary HSTS header over HTTP
The HTTP page at http://sandairephotography.com sends an HSTS header. This has no effect over HTTP, and should be removed.
How do I remove this behavior?

In my case, I followed a pre-windows server 2019 example that directed me to implement the HSTS (Strict Transport Security) via my Web sites individual web.config, as posted below. As it happens, the two Web sites that generated the Warning was already setup to use the Strict Transport Security, locally via the IIS Manager HTTP Response Header, which was the source of the Header Warning. Once I removed the entry and restarted the Web Site, the warning disappeared. Apparently, I am using the nopCommerce Web Platform (E-Commerce Template) with a theme that added the http header response entry.
I plan to post a question on the nopCommerce forum as well to determine if this is a normal behavior.

HSTS Displays Disabled even though the header is present

My company is using Tenable to identify security vulnerabilities. Missing HSTS was identified recently. Our server is using IIS 10.
I've added the HSTS header as outlined in multiple blogs, and questions here on SO.
My root web.config looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appSettings>
<add key="Environment" value="Local" />
</appSettings>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect global" stopProcessing="true" >
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Problem: After the changes have been applied, Tenable is still showing a vulnerability. Further, upon inspecting a site in FireFox's dev tools, I can see the header is present, however the security tab indicates that HSTS is disabled.
Question: How do I make this change show up for Firefox and Tenable?

It could also be related to preload tag, that you mentioned in the HSTS header. Are you certain that your site is already added in the preload list (maintained by google/chrome)
If you are deploying your site as sub-domain, then you may also need to add HSTS to parent domain (which is not a sub-domain) and submit for preload.
Once done you can verify and look for more details at https://hstspreload.org/

Azure App Service Reverse Proxy works only on port 80 http

I'm trying to configure Azure App Service Reverse Proxy to expose webserver in Azure Virtual Network to the internet and I had limited success - it's working when I'm not using encrypted connection between reverse proxy and target server.
Here is my currently working configuration:
web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<rewrite>
<rules>
<rule name="ForceSSL" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Proxy" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://example.com/{R:1}" />
<serverVariables>
<set name="HTTP_X_UNPROXIED_URL" value="http://example.com/{R:1}" />
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<preConditions>
<preCondition name="CheckContentType">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/plain|text/xml|application/rss\+xml)" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
applicationHost.xdt
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false"/>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_UNPROXIED_URL" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
IP Address of the server has been replaced by example.com
When I change web.config rewrite rule and HTTP_X_UNPROXIED_URL to https I get following IIS Error
Detailed Error Information:
Module ApplicationRequestRouting
Notification ExecuteRequestHandler
Handler ApplicationRequestRoutingHandler
Error Code 0x80072f8f
Requested URL https://example.com:80/
Physical Path D:\home\site\wwwroot
Logon Method Anonymous
Logon User Anonymous
Request Tracing Directory D:\home\LogFiles
This suggests, that for some reason it's trying to request https on port 80.
I tried to follow guide from here: https://www.patrickob.com/2018/11/10/adding-ca-certs-to-the-trusted-root-store-for-web-apps-hosted-in-an-ase/
I have added my organizations root cert to SSL certificated and added WEBSITE_LOAD_ROOT_CERTIFICATES setting.
Any help will be appreciated.

WEBSITE_LOAD_ROOT_CERTIFICATES is only supported in an App Service Environment, its not supported in multi-tenant app services. If the endpoint on-premises is signed by a certificate not using a public CA at this time there's no direct workaround to make this work outside of updating the certificate or possibly writing a simple proxy app that can ignore SSL cert validation (I typically wouldn't recommend this option unless you do the cert validation yourself in code).

Does redirecting a secure domain require an ssl certificate on both domains?

I'm hosting a site on Microsoft Azure and I need to add a redirect from the old domain (domain1.com) to a new domain (www.domain2.com). The problem I'm having however is that the redirect works fine on insecure url's :
http://domain1.com -> https://www.domain2.com
http://www.domain1.com -> https://www.domain2.com
However it doesn't work properly on secure url's:
https://domain1.com -> https://www.domain2.com
https://www.domain1.com -> https://www.domain2.com
What happens is that I get a certificate warning i.e. the given certificate isn't valid for this domain. If i accept the warning, the redirect occurs to the new domain just fine.
This shows me everything is working fine, it's just that ssl is negotiated before the redirect occurs in the browser and because there is no ssl certificate on the first domain I get the warning. Is this correct?
Is there something I'm missing here? Is there a better way to do this? Do I need an ssl certificate on both domains?
Here is my web.config file so you can see my configuration:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- Don't show directory listings for URLs which map to a directory. -->
<directoryBrowse enabled="false" />
<rewrite>
<rules>
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
<match url="\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$" />
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
</rule>
<rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">
<match url="favicon\.ico" />
<action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
</rule>
<!-- Rewrite URLs of the form 'x' to the form 'index.php?q=x'. -->
<rule name="Short URLs" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
<add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php?q={R:1}" appendQueryString="true" />
</rule>
<rule name="Redirect old-domain to new-domain" stopProcessing="true" enabled="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www.)?domain1.com$" />
</conditions>
<action type="Redirect" url="https://www.domain2.com/{R:0}" appendQueryString="true" redirectType="Permanent" />
</rule>
<rule name="WWW Rewrite" enabled="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" negate="true" pattern="^www\." />
<add input="{HTTP_HOST}" negate="true" pattern="localhost" />
</conditions>
<action type="Redirect" url="https://www.domain2.com/{R:0}" appendQueryString="true" redirectType="Permanent" />
</rule>
<!-- Force HTTPS Starts -->
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://www.domain2.com/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
<!-- Force HTTPS Ends -->
</rules>
</rewrite>
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
</httpErrors>
<defaultDocument>
<!-- Set the default document -->
<files>
<remove value="index.php" />
<add value="index.php" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

You will be able to redirect non-secure URL to the HTTP/HTTPs. But you won’t be able to redirect HTTPS URL (https://domain1.com) to any HTTP/HTTPs (https://www.domain2.com) unless you have installed valid SSL certificate.
http://domain1.com -> https://www.domain2.com [YES, with or without SSL]
http://www.domain1.com -> https://www.domain2.com [YES, with or without SSL]
And,
https://domain1.com -> https://www.domain2.com [Required Valid SSL certificate for domain1.com]
https://www.domain1.com -> https://www.domain2.com [Required Valid SSL for domain1.com]
That’s why you are getting error as ‘the given certificate isn't valid for this domain’ because you have not valid certificate. Please note you have to install SSL certificate on both OLD and NEW domain if you want old URLs to redirect on new HTTPS URLs.

While the above answer is correct, there is something powerful with Google Domains. It allows you to, under advanced settings, to redirect with HTTPS, without needing an SSL certificate. I haven't seen it with other registrars besides Google Domains, and I should note that they don't support ever TLD. Assuming you've registered or transferred the domain in question over to Google Domains, here's how to implement it:
Navigate to Google Domains and click into the domain you want to redirect
Open the menu Menu, if applicable.
Click Website .
Under "Forward to an existing webpage, click; Add a forwarding address.
Enter a URL or IP address in the "Website URL" field.
Open 'Advanced Settings', and optionally select Permanent redirect (301) or Temporary
Then, under FORWARDING OVER SSL, select SSL on
click Forward to save your settings and that's it!

Azure web app redirect http to https

I use Azure cloud with web app and my server side written on nodejs.
When web app receive a http request I want to redirect the request to https
I found the solution.
I put that to my web.config file inside the rules tag
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="false" redirectType="Permanent" />
</rule>
The problem is when I type in the browser "https://myURL.com" it redirect to main screen every thing ok,
but when I change https to http "http://myURL.com" it redirect to https://myURL.com/" and add to the url "bin/www" according that the url looks like that "http://myURL.com/bin/www", the response is: page doesn't find.
The question is how to redirect a clear url without added data to the url?
Part of my web.config file:
<rewrite>
<rules>
<!-- Do not interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^bin/www\/debug[\/]?" />
</rule>
<!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}" />
</rule>
<!-- All other URLs are mapped to the node.js site entry point -->
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True" />
</conditions>
<action type="Rewrite" url="bin/www" />
</rule>
<!-- Redirect all traffic to SSL -->
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="false" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
<!-- 'bin' directory has no special meaning in node.js and apps can be placed in it -->
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin" />
</hiddenSegments>
</requestFiltering>
</security>
Thanks for answers, Michael.

Go to Azure portal and open the overview page of the (Web) App Service you wanna set to HTTPS only. In the sidebar, under the Settings section, there is an option for TLS/SSL Settings.
On clicking it, you will get an option on the screen to set your app's protocol to HTTPS only. There isn't any need to manually add separate ruleset for this.
This works on every tier of App Service Plan including the 'F'-Series (free subscription).
Note that, if you are adding any custom domain you also need to add corresponding SSL bindings, you can easily get them using LetsEncrypt or alike. If any of the custom hostnames for your app are missing SSL bindings, then:
When HTTPS Only is enabled clients accessing your app on those custom hostnames will see security warnings.
PS: I just saw that this question was asked about 3 years ago and that time maybe there was no direct option to do this. But even so, I'm posting my answer because on Google (as on February 2020) this question still ranks first among others regd. automatic HTTPS redirection in Azure.

As of November 2017, this is now a simple switch in the Azure Portal: "HTTPS Only", under Custom domains.
https://blogs.msdn.microsoft.com/benjaminperkins/2017/11/30/how-to-make-an-azure-app-service-https-only/
It's also very easy in ARM:
“httpsOnly”: true

There is also a free and open source extension for this.
Go to your Web App settings sidebar, search for the "Extensions" tab and click on "Add".
Scroll down and find the extension Redirect HTTP to HTTPS by gregjhogan.
Accept the terms.
Restart the Web App for the actions to take effect immediately.
Done !
For further details on the implementation of this extension, check the source code on GitHub. The most important source file is the applicationhost.xdt.
Quote from GitHub (02-08-2017) (credits go to gregjhogan):
applicationhost.xdt
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Transform="InsertIfMissing" xdt:Locator="Match(path)">
<system.webServer xdt:Transform="InsertIfMissing">
<rewrite xdt:Transform="InsertIfMissing">
<rules xdt:Transform="InsertIfMissing" lockElements="clear">
<rule name="redirect HTTP to HTTPS" enabled="true" stopProcessing="true" lockItem="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>

R:1 is a back-reference to the rule pattern. You append that to the url here:
url="https://{HTTP_HOST}/{R:1}"
changing that into
url="https://{HTTP_HOST}"
should result in a redirect to the https root.