question

Victor-1779 avatar image
0 Votes"
Victor-1779 asked Joyzhao-MSFT commented

SSRS 2019 Custom Header for fixing HSTS vulnerability

Hello,

Trying to fix HSTS (aka Strict-Transport-Security) by creating Custom Headers under Advanced configuration of SSRS 2019. Prior versions did not support custom headers. Currently, based on this link https://docs.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-reporting-services?view=sql-server-ver15 , did create following custom headers since we have standard reports urls which are https://servername/reports and https://servername/reportserver :

<CustomHeaders>
<Header>
<Name>
Strict-Transport-Security
</Name>
<Pattern>(.+)\/Reports\/(.+)
</Pattern>
<Value>max-age=31536000; includeSubDomains=true
</Value>
</Header>
</CustomHeaders>

However, with the above only https://servername/reports shows strict transport security (HSTS) when I look at the developer tools from the browser (any browser such as Edge or Chrome), but not https://server/reportserver url. I tried changing the pattern matching to <Pattern>(.+)\/Report\/(.+)</Pattern> and it still does not work. I tried few other combinations as well.

Will greatly appreciate if you can provide the correct custom header pattern matching to use so that both the SSRS urls pages are rendered using HSTS which complies with our new security requirements.

Thanks.
Victor


sql-server-reporting-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joyzhao-MSFT avatar image
0 Votes"
Joyzhao-MSFT answered

Hi @Victor-1779 ,
As far as I know, Web Service URL is the backend, which is utilize by the frontend and also can be use from own application; and Web Portal / Report Manager URL ist the frontend to manage & Show reports.

I think Custom Header is for Web Portal URL not Web Service URL, if you have questions about this, please post your question at https://feedback.azure.com/

Best Regards,
Joy


If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Victor-1779 avatar image
1 Vote"
Victor-1779 answered Joyzhao-MSFT commented

Thanks Joyzhao. I did post it to feedback.azure.com. Will see whether someone responds back or not.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I hope your issue will be approached as soon as possible.

0 Votes 0 ·