Setup HSTS on Exchange Server 2019

As many customers asked for it, we’re happy to announce that Microsoft Exchange Server now officially supports HTTP Strict Transport Security, also known as HSTS.

What is HSTS and how can it help protecting my users?

HSTS is a policy mechanism that helps to protect websites (OWA or ECP when it comes to Exchange Server) against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It is a widely supported standard that was defined in RFC 6797.

It allows web servers to declare that web browsers should only interact with them using HTTPS connections, which provide encryption and authentication. The browser is instructed to enforce HSTS when it receives the Strict-Transport-Security (STS) header over an HTTPS connection.

HSTS prevents users from bypassing invalid certificate warnings (for example, expired, invalid or not trusted certificates, name mismatches…), which could indicate a compromised connection.

If an attacker tries to perform a protocol downgrade attack or a man-in-the-middle attack, the browser will detect the violation of the HSTS policy and abort the connection.

How do I configure HSTS?

We’ve published the documentation that contains all the necessary steps to configure HSTS on Exchange Server 2016 and 2019. You can find it here. I will show you the PowerShell commands to run on your Exchange OWA Access Servers to enable this.

Please read the documentation carefully as some of the settings that are provided by the default IIS HSTS implementation (for example, HTTP to HTTPS redirect) must be configured in a different way as they could otherwise break connectivity to Exchange Server.

Exchange HealthChecker will receive an update soon that will help you to find out if the HSTS configuration on your Exchange Server is as expected.

Enable HSTS with PowerShell for Exchange 2019

Run the following commands in PowerShell to Enable HSTS on Exchange 2019. Refer to the Microsoft Document Link above for the why and the details! Also, refer to the same documentation to enable on Exchange 2016 and below…


We can’t redirect HTTP to HTTPS using the HSTS configuration, as this breaks connectivity for some scenarios, including the Exchange Management Shell (EMS). If you want to enable HTTP to HTTPS redirect, you must follow the steps outlined in Configure http to https redirection for Outlook on the web in Exchange Server. Here are the list of commands to do it through an Administrative Command Prompt. MAKE SURE YOU CHANGE THE OWA URL value on the one command to add your OWA domain. The commands also assume that you are using the DEFAULT VIRTUAL DIRECTORIES in IIS for Exchange Server 2019.

Hopefully, this will help further lock down your Exchange 2019 servers until V-Next comes out next year!


Configure HTTP Strict Transport Security (HSTS) in Exchange Server | Microsoft Learn
Configure http to https redirection for Outlook on the web in Exchange Server | Microsoft Learn

About Lance Lingerfelt

Lance Lingerfelt Profile Photo

Lance Lingerfelt is an M365 Specialist and Evangelist with over 20 years of experience in the Information Technology field. Having worked in enterprise environments to small businesses, he is able to adapt and provide the best IT Training and Consultation possible. With a focus on AI, the M365 Stack, and Healthcare, he continues to give back to the community with training, public speaking events, and this blog.

Get E-Mail Updates
I agree to have my personal information transfered to MailChimp ( more information )
Want to know when I post new content? Sign up here to get an email when I do post!
I despise spam. Your email address will not be sold or shared with anyone else.