Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles

The accepted answer is confusing and the correct answer (on ServerFault) is hidden in the comments, so I'll just recap it quickly here. Basically this is what you want to do:

1. Redirect all HTTP requests to HTTPS
2. Add the Strict-Transport-Security header to all HTTPS requests

The appropriate web.config would look like this:

<?xml version="1.0" encoding="UTF-8"?><configuration>    <system.webServer>        <rewrite>            <rules>                <rule name="HTTP to HTTPS redirect" stopProcessing="true">                    <match url="(.*)" />                    <conditions>                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />                    </conditions>                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"                        redirectType="Permanent" />                </rule>            </rules>            <outboundRules>                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">                    <match serverVariable="RESPONSE_Strict_Transport_Security"                        pattern=".*" />                    <conditions>                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />                    </conditions>                    <action type="Rewrite" value="max-age=31536000" />                </rule>            </outboundRules>        </rewrite>    </system.webServer></configuration>

If you want to comply with HSTS preload you'll need includeSubDomains and preload in the Strict_Transport_Security header too. Here's my full rewrite configuration, including apex redirection (I'm a yes-www guy) and easy local development setup (no HTTPS on localhost):

<rewrite>  <rules>    <rule name="Redirect to HTTPS" stopProcessing="true">      <match url="(.*)" />      <conditions logicalGrouping="MatchAll">        <add input="{SERVER_NAME}" pattern="^localhost$" negate="true" />        <add input="{HTTPS}" pattern="off" ignoreCase="true" />      </conditions>      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />    </rule>    <rule name="Redirect to www" stopProcessing="true">      <match url="(.*)" />      <conditions>        <add input="{HTTP_HOST}" pattern="^yourdomain\.com" ignoreCase="true" />      </conditions>      <action type="Redirect" url="https://www.yourdomain.com/{R:1}"            redirectType="Permanent" />    </rule>  </rules>  <outboundRules>    <rule name="HSTS" enabled="true">      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />      <conditions>        <add input="{HTTPS}" pattern="on" ignoreCase="true" />      </conditions>      <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />    </rule>  </outboundRules></rewrite>

Of course, switch yourdomain with your actual domain.

There is an IIS module which enables HSTS compliant with the HSTS Draft Specification (RFC 6797); you can found it here https://hstsiis.codeplex.com/

DON'T TRY THIS:

<system.webServer>    <httpProtocol>        <customHeaders>            <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>        </customHeaders>    </httpProtocol></system.webServer>

because this will include the STS header in HTTP responses over non-secure transport.