SSRS Header required when user tries to access report portal but is unauthorized

Loski, Russel 1 Reputation point
2021-01-12T23:23:40.493+00:00

In SSRS 2019, Microsoft added the ability to add a custom header to a report request. https://learn.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-reporting-services?view=sql-server-ver15[server-properties-advanced-page-reporting-services][1].

We need to add the Strict-Transport-Security header. I added this to the system properties of the report server:

<CustomHeaders>  
    <Header>  
        <Name>Strict-Transport-Security</Name>  
        <Pattern>(.+)</Pattern>  
        <Value>max-age=3153600; includeSubDomains=true</Value>  
    </Header>  
</CustomHeaders>  

The Strict-Transport-Security header shows up with the following urls under certain conditions:

  • https://url/Reports
  • https://url/ReportServer
  • https://url

The last url is not valid for our server, but the STS header is returned.

The first two return the STS header only if the user is authorized. If the user has not logged in, the STS header is conspicuously missing.

Our government requirement is that the STS header should be in the header for these urls even if the user is not authorized.

What can we do to force SSRS to include the STS header in this case.

I tested one other web site and tried to access something I was not authorized to access. The STS header was included in the response even though I was unauthorized.

SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
2,936 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,850 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.