SSRS 2019 Custom Header for fixing HSTS vulnerability

Victor 66 Reputation points


Trying to fix HSTS (aka Strict-Transport-Security) by creating Custom Headers under Advanced configuration of SSRS 2019. Prior versions did not support custom headers. Currently, based on this link , did create following custom headers since we have standard reports urls which are https://servername/reports and https://servername/reportserver :

<Value>max-age=31536000; includeSubDomains=true

However, with the above only https://servername/reports shows strict transport security (HSTS) when I look at the developer tools from the browser (any browser such as Edge or Chrome), but not https://server/reportserver url. I tried changing the pattern matching to <Pattern>(.+)/Report/(.+)</Pattern> and it still does not work. I tried few other combinations as well.

Will greatly appreciate if you can provide the correct custom header pattern matching to use so that both the SSRS urls pages are rendered using HSTS which complies with our new security requirements.


SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
2,827 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Victor 66 Reputation points

    Thanks Joyzhao. I did post it to Will see whether someone responds back or not.

    1 person found this answer helpful.

  2. Joyzhao-MSFT 15,566 Reputation points

    Hi @Victor ,
    As far as I know, Web Service URL is the backend, which is utilize by the frontend and also can be use from own application; and Web Portal / Report Manager URL ist the frontend to manage & Show reports.

    I think Custom Header is for Web Portal URL not Web Service URL, if you have questions about this, please post your question at

    Best Regards,

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments