I have an asp.net web application that is indexed by search engines in the www subdomain. I really do not want to change this: requests to the root domain are configured with constant redirection to the www version and all this is normal.
I turned on HSTS on the site, but the HSTS outbound header rule that I added never gets on the first request to the root of the domain due to redirection. (It works great for subsequent https requests because there is no redirect). This is a problem because I want to submit a site for HSTS preloading - and this requires that the redirect include the HSTS response header ...
I tried to set the stopProcessing attribute in the rule to false (hoping that the outgoing rule to set the HSTS header will be executed even when redirecting) to no avail.
Here are the relevant excerpts from my configuration file:
<rewrite>
<rules>
<rule name="Canonical Host Name, HTTPS enabled" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" negate="true" pattern="www.mysite.co.uk" />
<add input="{HTTP_HOST}" negate="true" pattern="^[a-z0-9]+\.cloudapp\.net$" />
<add input="{HTTP_HOST}" negate="true" pattern="localhost" />
</conditions>
<action type="Redirect" url="https://www.mysite.co.uk/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules rewriteBeforeCache="true">
<rule name="Add Strict-Transport-Security" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
<add input="{HTTP_HOST}" pattern="(mysite.co.uk|www.mysite.co.uk)" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
source
share