HSTS Header on SM Redirect

Document ID : KB000074958
Last Modified Date : 28/03/2018
Show Technical Document Details
Introduction:
The HSTS or HTTP Strict Transport Security (RFC6797) spec says:

An HTTP host declares itself an HSTS Host by issuing to UAs (User Agents) an HSTS Policy, which is represented by and conveyed via the 
Strict-Transport-Security HTTP response header field over secure transport (e.g. TLS).

 
Example:
system.webserver file: 

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="Strict-Transport-Security" value="max-age=31536000"/> 
</customHeaders> 
</httpProtocol> 
</system.webServer> 


Use case:
 
We are trying to remediate a security finding where no HSTS header is set when the web agent redirects the user to a Login page for Authentication. 

 
Question:
We are trying to remediate a security finding where no HSTS header is set when the webagent redirects the user to a Login page for Authentication. 

This is the flow : 
1. User hits a protected page 
2. Siteminder is configured for Forms Authn and redirects the user to a Login.asp page. 

Now on the 302 to the login page there is no HSTS header but on 200 when the page is rendered there is a HSTS header. Finding is that there is NO HSTS header on 302 and they are expecting to see the header. 

Is this is the expected behavior or we can do something about the HSTS headers on the redirect?
Environment:
SiteMinder Policy Server Version: 12.52 SP01 CR08 
Policy Server O/S: Win 2008 R2 
Policy Store Database: CA Directory 
User Store Database: AD 
Web Server: IIS 7 
Web Server O/S: Win 2008 R2 
SiteMinder Web Agent Version: R12.52 SP01 CR05 
Environment: Production 

 
We only have 1 webserver in play here and the login page is also hosted on that and it also has the configuration for HSTS header.
 
Answer:
HSTS in not supported by IIS until the configuration: Win2016/ IIS 10. 
IIS 10 requires web agent 12.52SP1CR6 Build 2331 or CR8.
Additional Information:
For further details on HSTS and the above explanation, see IIS vendor documentation (https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/hsts ), CA Platform Support Matrix and docops.ca.com product documentation.