Make sure the web.config file in the root directory of your website is not set to read only on the properties page for that file.
Open Internet Information Services Manger. Select the website where you want to add this Strict-Transport-Security response header. Double click and select the Icon for HTTP Response Headers.
In HTTP Response Headers window, click on Add… on the right pane and type in Strict-Transport-Security for Name and max-age=63072000; includeSubDomains; preload for Value and click OK. The max-age value 63072000 is the number of seconds for the duration of two years. You need to enter a value of at least one year.
Source URL for this information: