HSTS - need to enable in SSRS 2022

  • Hi,

    My sys admin says I must enable HSTS in SSRS to pass penetration tests.

    Using this as guide:

    https://kevinstreet.co.uk/2021/03/15/enabling-hsts-and-selecting-most-secure-ciphers-and-protocols-for-https-for-configmgr/

    I change the custom header property and restarted the ssrs service.

    Problem is my sysadmin is saying that is still not passing the HSTS scan.

    Is my header wrong (need customization) using the one in the example:

    <CustomHeaders><Header><Name>Strict-Transport-Security</Name><Pattern>(.+)\/Reports\/(.+)</Pattern><Value>max-age=31536000; includeSubDomains=true</Value></Header></CustomHeaders>

    Is there anything else I need to do to pass the scan?

     

     

    • This topic was modified 1 year ago by  krypto69.
  • Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

  • My first step would be to reach out to your IT dept to see what URL they are trying that is saying that HSTS isn't enabled and verify that the URL they provide is captured by that regex that you posted. It could be that their tool is looking at ReportServer URL rather than Reports and you didn't configure anything for ReportServer.

    I would also load up the developer console to see what is actually happening. Look at the responses from the web server to see if the HSTS data is being sent back to your browser.

    Also, did you restart your instance after making the configuration change? Offhand, I don't know if this is required, but I would expect that with a change to this, you would need to at the VERY least restart the reporting services service, but if I am restarting that, I'd probably restart the SQL side of things too.

    I've also seen tools like this use cached versions of webpage so you may just need to wait for it to agree that HSTS is enabled.

    The above is all just my opinion on what you should do. 
    As with all advice you find on a random internet forum - you shouldn't blindly follow it.  Always test on a test server to see if there is negative side effects before making changes to live!
    I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply