iis使用ssl启用严格传输安全性（HSTS）添加Strict Transport Security协议头

如果https与http绑定在不同的IIS站点上，直接在https站点的web.config中添加如下配置：

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

如果在同一个IIS站点，需要针对https响应添加如下的url重写规则（详见How to enable HTTP Strict Transport Security (HSTS) in IIS7+）：

<system.webServer>
    <rewrite>
        <outboundRules>
            <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                <match serverVariable="RESPONSE_Strict_Transport_Security"
                    pattern=".*" />
                <conditions>
                    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                </conditions>
                <action type="Rewrite" value="max-age=31536000" />
            </rule>
        </outboundRules>
    </rewrite>
</system.webServer>

相关文章：
https://q.cnblogs.com/q/85129/
https://serverfault.com/questions/417173/enable-http-strict-transport-security-hsts-in-iis-7