Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles

Question

How can I turn on HTTP Strict Transport Security (HSTS) for Azure WebRoles?

Answer 1

The accepted answer is confusing and the correct answer (on ServerFault) is hidden in the comments, so I'll just recap it quickly here. Basically this is what you want to do:

1. Redirect all HTTP requests to HTTPS
2. Add the Strict-Transport-Security header to all HTTPS requests

The appropriate web.config would look like this:

If you want to comply with HSTS preload you'll need includeSubDomains and preload in the Strict_Transport_Security header too. Here's my full rewrite configuration, including apex redirection (I'm a yes-www guy) and easy local development setup (no HTTPS on localhost):

Of course, switch yourdomain with your actual domain.