Symptoms

After implementing the HTTP Strict-Transport-Security policy, it is not possible to open the Administration and Monitoring console, since HTTP 500 Internal Server Error occurs.

Cause

1. The issue may occur if the header rules were added incorrectly to the config, and therefore the config itself became incorrect.
2. The inbound rule was added instead of the outbound rule.

Resolution

To be able to use HTTP Strict-Transport-Security (HSTS) security policy, the URL address rewrite rules are necessary to be added in order to implement a Strict-Transport-Security (STS) header to HTTP responses.  

Since the header is necessary to be added to the response, the outbound rule has to be configured, as such type of rewrite rule is used to rewrite the attribute e.g., the response header.

The issue may occur if the header rules were added incorrectly to the config, and therefore the config itself became incorrect. Additionally, the mentioned header may be added in the inbound rule instead of the response header by mistake. 

The inbound rules are used to only rewrite the incoming requests.  

Therefore, in order to make the config work again, the config has to contain the following tag (please refer to the outbound rule config):

<outboundRules>
            <rule name="Add the STS header in HTTPS responses" enabled="true">
                <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                <conditions>
                    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                </conditions>
                <action type="Rewrite" value="max-age=31536000" />
            </rule>
</outboundRules>

On the screenshot below, please check the correct location for the outbound rule. Please note, it has to be added after the closing rules tag:

Additional information

Securing IIS server