HSTS header not being sent in IIS 10

[rhymeswithmogul]

I installed this module into a fresh install of IIS 10 (Server 2016), but the HSTS header is never being sent. How can I troubleshoot this?

[Rich-Lang]

It works for me on WinSvr2016. What have you tried to do to troubleshoot it?

1. Did you enable HSTS for your Website? By default, it adds configuration to the Web.config. Open that site's web.config and verify there is HSTS configuration and enabled="true".
2. Are you sure you are sending an HTTPS request? It won't reply with HSTS ( Strict-Transport-Security) header unless you are making requests over HTTPS.

[rhymeswithmogul]

1. Yes, I verified that this module added an tag in the Default Web Site's web.config.
2. Yes, I'm connecting over HTTPS.

[Rich-Lang]

The module has some error logging in "Failed Request Tracing". A sample of what you would see is as follows. If you need instructions for setting up Failed Request Tracing check out https://www.pluralsight.com/blog/it-ops/iis-7-troubleshooting

Two changes I'd make:

1. When it says to enter status code "401", you should do "100-999" instead to capture all requests
2. Instead of selecting granular extensions (such as WWW Server) to capture, just leave all selected. The extra data won't hurt anything.

When you get a trace captured, check out the Compact View to see lines similar to the following.

14. | NOTIFY_MODULE_START | ModuleName="HstsIisModule", Notification="BEGIN_REQUEST", fIsPostNotification="false" | 19:37:24.247
    -- | -- | -- | --
15. | GENERAL_SET_RESPONSE_HEADER | HeaderName="Strict-Transport-Security", HeaderValue="max-age=31536000", Replace="false" | 19:37:24.279
16. | NOTIFY_MODULE_END | ModuleName="HstsIisModule", Notification="BEGIN_REQUEST", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" | 19:37:24.279