Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

QlikView HSTS (HTTP Strict-Transport-Security response header)

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

QlikView HSTS (HTTP Strict-Transport-Security response header)

Last Update:

Feb 23, 2024 8:37:20 AM

Updated By:

Sebastian_Linser

Created date:

Jul 29, 2019 11:36:37 AM

HSTS (HTTP Strict-Transport-Security response header) security check failed.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.

Resolution

Before adding HSTS to either the QlikView AccessPoint or the QlikView Management Console (QMC), set both up to use HTTPS. See for QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate instructions.

 

HSTS for the QlikView AccessPoint

Custom response headers can be set in both the QlikView WebServer (beginning with 12.30) and Microsoft IIS (all QlikView versions).

The custom header needed for HSTS is: Strict-Transport-Security

  1. Run text editor (e.g. Notepad) as Administrator 

  2. Edit QlikView WebServer configurations file. The default path is C:\ProgramData\QlikTech\WebServer\config.xml

  3. Locate CustomHeaders element within the config file. For more information, see QlikView WebServer: Custom HTTP Header.

  4. Add custom response header as <Header> element(s) with sub-elements defining Strict-Transport-Security as the name and your desired max-age= as value.

    Example:
    <Config>
  ...
  <Web>
   ...
    <CustomHeaders>
      <Header>    
        <Name>Strict-Transport-Security</Name>
        <Value>max-age=31536000</Value>
       </Header>
    </CustomHeaders>
  </Web>
</Config>​
  5. Restart QlikView WebServer service

For information on how to configure custom headers with Microsoft IIS, see Setting Custom HTTP Headers in IIS for QlikView. The site https://https.cio.gov/hsts/ gives information on how to setup the webserver to enable HSTS.

Testing can be achieved using any number of third party sites, such as: 

 

HSTS for the QlikView Management Console (QMC)

This setting was introduced with QlikView 12.70 (May 2022) SR1.

QVManagementService.exe.Config Changes:

  1. Stop the QlikView Management Services

  2. Go to ProgramFiles => qliktech => management service => open QVManagementService.exe.config using an administrator notepad

  3. Update this value to true =>

    <add key="UseHSTS" value="true" />

  4. To enable HSTS to header this value has to be set to true

    <add key="UseHTTPS" value="true" />

 

 

Environment:

QlikView 

 

QlikView
Thumbnail of QlikView
QlikView
Labels (2)
4,748 Views
Was this article helpful? Yes No
Comments
c_grigoriadis
Partner - Contributor
Partner - Contributor
a week ago

Hi @Sonja_Bauernfeind . We have followed the instructions regarding the HSTS for the QlikView Management Console (QMC) but it seems that QMC is still exposed. Is there anything else we should do. 

Thank you in advance.

Sonja_Bauernfeind
Digital Support
Digital Support
a week ago

Hello @c_grigoriadis 

These are the only settings that should be required. I recommend you post about the challenge you are facing in our QlikView Administration forum, where our active support engineers and your knowledgeable Qlik peers can better assist you.

All the best,
Sonja 

Version history
Last update:
‎2024-02-23 08:37 AM
Updated by:
Support