cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
SnaggleTooth
New Member

Add HTTP Strict transport security header

Hi folks, 

I was told to add the HSTS header to the server but not sure how?

I tried this tutorial but it didn't work: https://learn.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-repor...

Can you help?

Thanks

1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

View solution in original post

2 REPLIES 2

Steps are given below-

Enable the modification of response headers.
Uncomment the following Load Module directive for the mod_headers module in the httpd.conf file:
LoadModule headers_module modules/mod_headers.so

Define the HSTS policy for clients.
Make the following updates in the httpd.conf file:

Add the Header directive for Strict-Transport-Security.
The following example Header specifies useful options for defining your HSTS policy. The directive specifies that the server always requires HTTPS connections. The HTTPS connections apply to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS domains for a maximum of one year (31536000 seconds).
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"

Add the Header directive to each virtual host section, <virtualhost>, that is enabled for Secure Sockets Layer (SSL).
Redirect requests from virtual hosts that are NOT enabled for SSL to virtual hosts that are enabled.
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

Add the stanza once to each non-SSL virtual host section in the httpd.conf file.
Add the stanza once to the global httpd.conf file, but outside the virtual host sections.

 

This may help you,

Rachel Gomez

d_gosbell
Super User
Super User

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

Helpful resources

Announcements
Carousel_PBI_Wave1

2023 Release Wave 1 Plans

Power BI release plans for 2023 release wave 1 describes all new features releasing from April 2023 through September 2023.

Power BI Summit Carousel 2

Global Power BI Training

Make sure you register today for the Power BI Summit 2023. Don't miss all of the great sessions and speakers!

Thank you 2022 Review

2022 Monthly Feature Releases

We had a great 2022 with a ton of feature releases to help you drive a data culture.