Configuring Strict-Transport-Security¶

There are four configuration options:

  • max-age is a TimeSpan (see TimeSpan.Parse)
  • includeSubdomains adds includeSubDomains in the header, defaults to false
  • preload adds the preload directive, defaults to false. Max-age must be at least 18 weeks, and includeSubdomains must be enabled to use the preload directive. See the Chromium HSTS docs for details.
  • httpsOnly ensures that the HSTS header is set over secure connections only, defaults to true.
Configuration Resulting header
max-age=”00:00:00” Strict-Transport-Security: max-age=0
max-age=”12:00:00” Strict-Transport-Security: max-age=43200
max-age=”365” includeSubdomains=”true” Strict-Transport-Security: max-age=31536000; includeSubDomains
max-age=”365” includeSubdomains=”true” preload=”true” Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

In web.config:

<strict-Transport-Security max-age="365" />
<strict-Transport-Security max-age="00:30:00" includeSubdomains="true" />
<strict-Transport-Security max-age="365" includeSubdomains="true" preload="true"/>

NWebsec.Owin: Register the middleware in the OWIN startup class:

using NWebsec.Owin;
public void Configuration(IAppBuilder app)
    app.UseHsts(options => options.MaxAge(days:30).IncludeSubdomains());
    //app.UseHsts(options => options.MaxAge(days:365).IncludeSubdomains().Preload());