Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join the FabCon + SQLCon recap series. Up next: Power BI, Real-Time Intelligence, IQ and AI, and Data Factory take center stage. All sessions are available on-demand after the live show. Register now

Reply
SnaggleTooth
New Member

Add HTTP Strict transport security header

‎11-14-2022 02:42 AM

Hi folks, 

I was told to add the HSTS header to the server but not sure how?

I tried this tutorial but it didn't work: https://learn.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-repor...

Can you help?

Thanks

Labels:
Message 1 of 3
5,345 Views
0
1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User

‎11-14-2022 02:33 PM

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

View solution in original post

Message 2 of 3
5,081 Views
2 REPLIES 2
rachelgomez1234
Helper I
Helper I

‎11-17-2022 10:38 PM

Steps are given below-

Enable the modification of response headers.
Uncomment the following Load Module directive for the mod_headers module in the httpd.conf file:
LoadModule headers_module modules/mod_headers.so

Define the HSTS policy for clients.
Make the following updates in the httpd.conf file:

Add the Header directive for Strict-Transport-Security.
The following example Header specifies useful options for defining your HSTS policy. The directive specifies that the server always requires HTTPS connections. The HTTPS connections apply to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS domains for a maximum of one year (31536000 seconds).
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"

Add the Header directive to each virtual host section, <virtualhost>, that is enabled for Secure Sockets Layer (SSL).
Redirect requests from virtual hosts that are NOT enabled for SSL to virtual hosts that are enabled.
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

Add the stanza once to each non-SSL virtual host section in the httpd.conf file.
Add the stanza once to the global httpd.conf file, but outside the virtual host sections.

 

This may help you,

Rachel Gomez

Message 3 of 3
5,042 Views
0
d_gosbell
Super User
Super User

‎11-14-2022 02:33 PM

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

Message 2 of 3
5,082 Views

Helpful resources

Announcements
April Power BI Update Carousel

Power BI Monthly Update - April 2026

Check out the April 2026 Power BI update to learn about new features.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

FabCon and SQLCon Highlights Carousel

FabCon &SQLCon Highlights

Experience the highlights from FabCon & SQLCon, available live and on-demand starting April 14th.

View All