HSTS for Default page on SSRS

Question

Hi,

Our SSRS server is failing a vulnerability (Nessus) scan for HSTS. I have been able to add the SQL CustomHeader for HSTS and I can confirm this is working.

SQL CustomHeader XML string

<CustomHeaders><Header><Name>Strict-Transport-Security</Name><Pattern>(.+)/Reports/(.+)</Pattern><Value>max-age=31536000; includeSubDomains=true</Value></Header></CustomHeaders>

If you check the headers https://servername/Reports it shows that HSTS is enabled. If you check the header for https://ServerName then no HSTS is returned.

What I would like to know is how to add the HSTS header to the default pages for SSRS?

Thanks for your time in advance.

Regards

Craig

Answer 1

Hi @Craig Garland,

the default pages for SSRS

The default page for SSRS is https://servername/Reports

https://ServerName is your local computer address.

Check Server properties Advanced page - Power BI Report Server & Reporting Services to set the CustomHeaders.

Regards，

Zoe Hui

---

If the answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hi @Craig Garland,

Please check if below is what you want for SSRS.

Web.config for the Report Server Web service	Includes only those settings that are required for ASP.NET.	<Installation directory>\Reporting Services\ReportServer
Web.config for the Report Server Web service	Includes only those settings that are required for ASP.NET.	<Installation directory>\Reporting Services\ReportServer
Web.config for Report Manager	Includes only those settings that are required for ASP.NET if applicable for the SSRS version.	<Installation directory>\Reporting Services\ReportManager