HSTS for Default page on SSRS

Craig Garland 286 Reputation points
2024-03-15T03:39:19.55+00:00

Hi,

Our SSRS server is failing a vulnerability (Nessus) scan for HSTS. I have been able to add the SQL CustomHeader for HSTS and I can confirm this is working.

SQL CustomHeader XML string

<CustomHeaders><Header><Name>Strict-Transport-Security</Name><Pattern>(.+)/Reports/(.+)</Pattern><Value>max-age=31536000; includeSubDomains=true</Value></Header></CustomHeaders>

If you check the headers https://servername/Reports it shows that HSTS is enabled. If you check the header for https://ServerName then no HSTS is returned.

What I would like to know is how to add the HSTS header to the default pages for SSRS?

Thanks for your time in advance.

Regards

Craig

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,661 questions
SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
2,794 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ZoeHui-MSFT 32,506 Reputation points
    2024-03-15T06:28:16.7366667+00:00

    Hi @Craig Garland,

    the default pages for SSRS

    The default page for SSRS is https://servername/Reports

    https://ServerName is your local computer address.

    Check Server properties Advanced page - Power BI Report Server & Reporting Services to set the CustomHeaders.

    Regards,

    Zoe Hui


    If the answer is helpful, please click "Accept Answer" and upvote it.


  2. ZoeHui-MSFT 32,506 Reputation points
    2024-03-22T08:39:02+00:00

    Hi @Craig Garland,

    Please check if below is what you want for SSRS.

    Web.config for the Report Server Web service Includes only those settings that are required for ASP.NET. <Installation directory>\Reporting Services\ReportServer
    Web.config for the Report Server Web service Includes only those settings that are required for ASP.NET. <Installation directory>\Reporting Services\ReportServer
    Web.config for Report Manager Includes only those settings that are required for ASP.NET if applicable for the SSRS version. <Installation directory>\Reporting Services\ReportManager
    0 comments No comments