Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Disabling Server Header

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

Disabling Server Header

Last Update:

Oct 12, 2021 8:21:19 AM

Updated By:

Sonja_Bauernfeind

Created date:

Feb 4, 2019 1:42:26 PM

It is important to suppress as much information as possible from any potentially harmful user.

The server contains information identifying the technology being used and version numbers. This is not desirable because it increases the attack surface and could allow a malicious user to perform a spearheaded attack. 

 

Environment:

QlikView 
Qlik Sense Enterprise on Windows 

 


On Windows, whether that is server edition or regular, it is not very clear as to how to disable this header. These instructions aim to clarify and demonstrate how it could be done on either edition. Without disabling the header, the server gives information away regarding the technology it is utilizing, as seen below.

Server header with information disclosureServer header with information disclosure


Resolution:


In order to stop the server from handing out information regarding the technology it is utilizing, we need to disable the “Server” header. This could be achieved in a number of ways. Instances running IIS could utilize “URLScan” or “Custom HTTP Rules”.  However, this is not a universal solution and in the case of URLScan, it is required to install an add-on to IIS. As a result, the following method will only target the HTTP service which works on any version of Windows.
 

  1. Open up “regedit.exe” (Run as Administrator) and navigate to:

    HKLM\System\CurrentControlSet\Services\HTTP\Parameters

  2. Create a DWORD entry.
    1. Right-click on the whitespace
    2. New
    3. DWORD (32-bit) Value
    4. Rename the new entry to “DisableServerHeader”
    5. Set its value to 2
    6. Hit “OK”.

      Creating a DWORD entry for “DisableServerHeader”Creating a DWORD entry for “DisableServerHeader”


      Setting the value of DisableServerHeader to 2Setting the value of DisableServerHeader to 2

  3. In order for this to take effect, it is required to reset the “http” service.  

    Warning: This will make your web services relying on HTTP unresponsive.
    1. Open CMD (or PS) as administrator and run the following: 
      net stop HTTP 
net start HTTP​
    2. If the above method fails, reboot the system.

  4. Once the service has been restarted successfully, the response header from the server should now look similar to this:

    No Server Header in the HTTP responseNo Server Header in the HTTP response




 

QlikView
Thumbnail of QlikView
QlikView
Qlik Sense Enterprise on Windows
Thumbnail of Qlik Sense Enterprise on Windows
Qlik Sense Enterprise on Windows
Labels (1)
2,183 Views
Was this article helpful? Yes No
Contributors
Version history
Last update:
‎2021-10-12 08:21 AM
Updated by:
Digital Support