UPDATE:
If you are running ASP.NET, you want to install NWebsec. It will allow you to configure HSTS but also Content-Security-Policy and other headers related to OWASP Secure Headers Project.
This solution was covered by Scott Hanselman in his blog (source at the bottom of the answer).
Basically, HSTS is just an HTTP header. But you only want to send it when you are in HTTPS. This will then lock your site in HTTPS for the max-age
specified.
Here's what should be in the web.config
of your application:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Source