Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
SnaggleTooth
New Member

Add HTTP Strict transport security header

‎11-14-2022 02:42 AM

Hi folks, 

I was told to add the HSTS header to the server but not sure how?

I tried this tutorial but it didn't work: https://learn.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-repor...

Can you help?

Thanks

Labels:
Message 1 of 3
1,806 Views
0
1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User

‎11-14-2022 02:33 PM

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

View solution in original post

Message 2 of 3
1,542 Views
2 REPLIES 2
rachelgomez1234
Helper I
Helper I

‎11-17-2022 10:38 PM

Steps are given below-

Enable the modification of response headers.
Uncomment the following Load Module directive for the mod_headers module in the httpd.conf file:
LoadModule headers_module modules/mod_headers.so

Define the HSTS policy for clients.
Make the following updates in the httpd.conf file:

Add the Header directive for Strict-Transport-Security.
The following example Header specifies useful options for defining your HSTS policy. The directive specifies that the server always requires HTTPS connections. The HTTPS connections apply to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS domains for a maximum of one year (31536000 seconds).
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"

Add the Header directive to each virtual host section, <virtualhost>, that is enabled for Secure Sockets Layer (SSL).
Redirect requests from virtual hosts that are NOT enabled for SSL to virtual hosts that are enabled.
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

Add the stanza once to each non-SSL virtual host section in the httpd.conf file.
Add the stanza once to the global httpd.conf file, but outside the virtual host sections.

 

This may help you,

Rachel Gomez

Message 3 of 3
1,503 Views
0
d_gosbell
Super User
Super User

‎11-14-2022 02:33 PM

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

Message 2 of 3
1,543 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All