Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes! Register now.

Reply
SnaggleTooth
New Member

Add HTTP Strict transport security header

‎11-14-2022 02:42 AM

Hi folks, 

I was told to add the HSTS header to the server but not sure how?

I tried this tutorial but it didn't work: https://learn.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-repor...

Can you help?

Thanks

Labels:
Message 1 of 3
4,424 Views
0
1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User

‎11-14-2022 02:33 PM

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

View solution in original post

Message 2 of 3
4,160 Views
2 REPLIES 2
rachelgomez1234
Helper I
Helper I

‎11-17-2022 10:38 PM

Steps are given below-

Enable the modification of response headers.
Uncomment the following Load Module directive for the mod_headers module in the httpd.conf file:
LoadModule headers_module modules/mod_headers.so

Define the HSTS policy for clients.
Make the following updates in the httpd.conf file:

Add the Header directive for Strict-Transport-Security.
The following example Header specifies useful options for defining your HSTS policy. The directive specifies that the server always requires HTTPS connections. The HTTPS connections apply to both the domain and any subdomain. A client can keep the domain in its preinstalled list of HSTS domains for a maximum of one year (31536000 seconds).
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"

Add the Header directive to each virtual host section, <virtualhost>, that is enabled for Secure Sockets Layer (SSL).
Redirect requests from virtual hosts that are NOT enabled for SSL to virtual hosts that are enabled.
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

Add the stanza once to each non-SSL virtual host section in the httpd.conf file.
Add the stanza once to the global httpd.conf file, but outside the virtual host sections.

 

This may help you,

Rachel Gomez

Message 3 of 3
4,121 Views
0
d_gosbell
Super User
Super User

‎11-14-2022 02:33 PM

What regex pattern did you use for the HSTS header?

 

I did a test matching anything under /Reports/ and it appeared to work fine (I also stopped and re-started PBIRS after changing this setting just to be sure it was applied)

 

<Header>
       <Name>Strict-Transport-Security</Name>
       <Pattern>(.+)\/Reports\/(.+)</Pattern>
       <Value>max-age=86400; includeSubDomains=true</Value>
</Header>

 

d_gosbell_0-1668465100686.png

 

Message 2 of 3
4,161 Views

Helpful resources

Announcements
September Power BI Update Carousel

Power BI Monthly Update - September 2025

Check out the September 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All