question

PhillipsKeith-1816 avatar image
0 Votes"
PhillipsKeith-1816 asked PhillipsKeith-1816 commented

SSRS - Does SSRS 2016 support HSTS

The title really says it all - does SQL Server Reporting Services support HSTS? I've looked at numerous Q/As on the subject, to no avail.
Unfortunately, our security team needs something "official" from Microsoft saying HSTS is not supported in SSRS 2016 before they let me off the hook on this question.

sql-server-reporting-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joyzhao-MSFT avatar image
0 Votes"
Joyzhao-MSFT answered PhillipsKeith-1816 commented

Hi @PhillipsKeith-1816
The role of HSTS is to force the client (such as a browser) to use HTTPS to establish a connection with the server. The method for the server to enable HSTS is to include the Strict-Transport-Security field in the Hypertext Transfer Protocol (HTTP) response header returned by the server when the client sends a request via HTTPS. The HSTS field set during unencrypted transmission is invalid.

If the server is not configured with https, HSTS configuration should not be added. Incompatible headers may cause browser rendering errors. CustomHeaders is only available for Reporting Services 2019 and later versions.

You may need a later version of Reporting Services to add the Strict-Transport-Security field to the matching request in the header.

The below example shows how to set the HSTS for URLs with matching regex pattern:

 <CustomHeaders>
     <Header>
         <Name>Strict-Transport-Security</Name>
         <Pattern>(.+)\/Reports\/mobilereport(.+)</Pattern>
         <Value>max-age=86400; includeSubDomains=true</Value>
     </Header>
 </CustomHeaders>

The header in the above XML adds Strict-Transport-Security: max-age=86400; includeSubDomains=true header to the matched requests.

  • http://adventureworks/Reports/mobilereport/New%20Mobile%20Report - Regex matched and will set HSTS header

  • http://adventureworks/ReportServer/mobilereport/New%20Mobile%20Report – Match Failed

For more information,please refer to: Server Properties Advanced Page - Power BI Report Server & Reporting Services.
Best Regards,
Joy


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks - that's sort of what I expected, as I'd seen in other posts from other sites.

Appreciate the feedback!

0 Votes 0 ·
cooldadtx avatar image
0 Votes"
cooldadtx answered

HSTS is a browser feature. Not really sure what SSRS would have to do with that. HSTS is a security measure such that basically means once a site transitions to HTTPS it cannot transition back. This is a security feature in the browser such that malicious software cannot trick a user into switching to unencrypted HTTP and then be able to access sensitive data as it goes across the wire. Again, not really sure how SSRS would play into this.

To use SSRS you generally host the report viewer in your (web) app directly. HSTS isn't relevant to SSRS here as your app is responsible for it already. If your app is using HSTS then your secure otherwise you're not. Server-to-server communications (aka your calls to SSRS behind the scenes) aren't going through the browser and therefore HSTS doesn't apply.

HSTS might be relevant if you are sending your users to the SSRS UI directly. In this case AFAIK it doesn't support HSTS (at least in 2016) because that pre-dates HSTS becoming popular and furthermore only internal (hopefully trustworthy) users should have access to your main SSRS UI anyway. HSTS is probably less important here. You can confirm however by going to the SSRS UI in your browser and then looking at the request headers that were sent. HSTS is "enabled" by the server (SSRS in this case) sending a specific HTTP header in the response. If you don't see that header then HSTS is not enabled. But if you're really worried about this case then I think you should reconsider sending your users to the SSRS UI anyway. The better, more secure route, would be to build your own reporting UI navigator in your web app directly.

Also note that SQL 2019 is the first version of SSRS UI to properly work with non-IE browsers. Since HSTS support wasn't added to IE 11 until a post-release update it is questionable whether you should even be relying on the SSRS UI if you're worried about HSTS under SQL 2016. Only IE would work properly anyway.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.