SSRS Header required when user tries to access report portal but is unauthorized
In SSRS 2019, Microsoft added the ability to add a custom header to a report request. https://learn.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-reporting-services?view=sql-server-ver15[server-properties-advanced-page-reporting-services][1].
We need to add the Strict-Transport-Security header. I added this to the system properties of the report server:
<CustomHeaders>
<Header>
<Name>Strict-Transport-Security</Name>
<Pattern>(.+)</Pattern>
<Value>max-age=3153600; includeSubDomains=true</Value>
</Header>
</CustomHeaders>
The Strict-Transport-Security header shows up with the following urls under certain conditions:
- https://url/Reports
- https://url/ReportServer
- https://url
The last url is not valid for our server, but the STS header is returned.
The first two return the STS header only if the user is authorized. If the user has not logged in, the STS header is conspicuously missing.
Our government requirement is that the STS header should be in the header for these urls even if the user is not authorized.
What can we do to force SSRS to include the STS header in this case.
I tested one other web site and tried to access something I was not authorized to access. The STS header was included in the response even though I was unauthorized.