SSRS 2019 Custom Header for fixing HSTS vulnerability

Victor 66 Reputation points
2022-04-16T19:59:01.99+00:00

Hello,

Trying to fix HSTS (aka Strict-Transport-Security) by creating Custom Headers under Advanced configuration of SSRS 2019. Prior versions did not support custom headers. Currently, based on this link https://learn.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-reporting-services?view=sql-server-ver15 , did create following custom headers since we have standard reports urls which are https://servername/reports and https://servername/reportserver :

<CustomHeaders>
<Header>
<Name>
Strict-Transport-Security
</Name>
<Pattern>(.+)/Reports/(.+)
</Pattern>
<Value>max-age=31536000; includeSubDomains=true
</Value>
</Header>
</CustomHeaders>

However, with the above only https://servername/reports shows strict transport security (HSTS) when I look at the developer tools from the browser (any browser such as Edge or Chrome), but not https://server/reportserver url. I tried changing the pattern matching to <Pattern>(.+)/Report/(.+)</Pattern> and it still does not work. I tried few other combinations as well.

Will greatly appreciate if you can provide the correct custom header pattern matching to use so that both the SSRS urls pages are rendered using HSTS which complies with our new security requirements.

Thanks.
Victor

SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
2,771 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Victor 66 Reputation points
    2022-04-19T01:04:23.683+00:00

    Thanks Joyzhao. I did post it to feedback.azure.com. Will see whether someone responds back or not.

    1 person found this answer helpful.

  2. Joyzhao-MSFT 15,561 Reputation points
    2022-04-18T03:17:28.303+00:00

    Hi @Victor ,
    As far as I know, Web Service URL is the backend, which is utilize by the frontend and also can be use from own application; and Web Portal / Report Manager URL ist the frontend to manage & Show reports.

    I think Custom Header is for Web Portal URL not Web Service URL, if you have questions about this, please post your question at https://feedback.azure.com/

    Best Regards,
    Joy


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments