Ensure that all application communications occur over HTTPS
Enable HSTS header to ensure that browsers enforce HTTPS data transfers.
Configure HSTS on IIS 7/8
1. Run the IIS manager.
2. Select your site.
3. Select HTTP REsponse Headers.
4. Click on Add in the Actions section.
5. In the Add Custom HTTP Response Header dialog, add the following values: For Name: Strict-Transport-Security. For Value: max-age=15552001; includeSubDomains; preload"
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.