HSTS for Default page on SSRS

Question

Hi,

Our SSRS server is failing a vulnerability (Nessus) scan for HSTS. I have been able to add the SQL CustomHeader for HSTS and I can confirm this is working.

SQL CustomHeader XML string

<CustomHeaders><Header><Name>Strict-Transport-Security</Name><Pattern>(.+)/Reports/(.+)</Pattern><Value>max-age=31536000; includeSubDomains=true</Value></Header></CustomHeaders>

If you check the headers https://servername/Reports it shows that HSTS is enabled. If you check the header for https://ServerName then no HSTS is returned.

What I would like to know is how to add the HSTS header to the default pages for SSRS?

Thanks for your time in advance.

Regards

Craig

Answer 1

Hi @Craig Garland,

the default pages for SSRS

The default page for SSRS is https://servername/Reports

https://ServerName is your local computer address.

Check Server properties Advanced page - Power BI Report Server & Reporting Services to set the CustomHeaders.

Regards，

Zoe Hui

---

If the answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hi @Craig Garland,

Please check if below is what you want for SSRS.

Web.config for the Report Server Web service	Includes only those settings that are required for ASP.NET.	<Installation directory>\Reporting Services\ReportServer
Web.config for the Report Server Web service	Includes only those settings that are required for ASP.NET.	<Installation directory>\Reporting Services\ReportServer
Web.config for Report Manager	Includes only those settings that are required for ASP.NET if applicable for the SSRS version.	<Installation directory>\Reporting Services\ReportManager

Answer 3

Craig Garland

I was able to mitigate this finding for SSRS by installing IIS 10 (Server 2022), and the URL Re-write module and setting up a website running on the same port. The below assumes you have a working SSRS instance already running. Basically, this makes SSRS run in conjunction with IIS with IIS answering for the root of the server and redirecting everything else to SSRS. It is imperative that the SSRS service is running in order for this to operate as desired.

Here is what I did:

1. Install IIS & URL Re-write module.
2. In IIS, set up website with valid SSL certificate (same as what's used in SSRS) using the same port that SSRS is hosted on (you may get an error from IIS when attempting to start the site, just ignore it and start it anyway). Turn on HSTS for the site.
3. Set up the application pools to run with accounts with appropriate permissions to the default installation directory of "C:\Program Files\Microsoft SQL Server Reporting Services". The application pool should be using a Classic managed Pipeline, v4 .NET.
4. Under the site you set up in step 2, create a sub-application for the report server and make the physical path "C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer" and the virtual name "ReportServer", just as it is in SSRS.
5. Also under the site you set up in step 2, create a virtual folder called "Reports" and point it to the physical path of "C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\Pages".
6. Ensure that the SSRS service is running in the console. SSRS should be functioning at this point, but now you need to set up a Redirect rule on the site that redirects all requests to the destination server on the port you want, but to the /reports folder, e.g.: "https://www.yourURL.com:YourPort/Reports/". The Redirect Behavior should be set up like the screenshot below below.
7. I also have some inbound URL Re-write rules that change the IP to the hostname and any unsecure HTTP requests to HTTPS, as well as an outbound one that applies HSTS to all responses from IIS set at the server level, not just for that site. These are optional, but provide better security for your environment, if required.