Enable HSTS for QEM and Replicate webapps

Prabodh — Wed, 07 Jul 2021 20:14:40 GMT

The Replicate and QEM web applications do not enforce HTTP Strict Transport Security (HSTS).

The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.

This is a security best practice recommended by our penetration testing team.

Re: Enable HSTS for QEM and Replicate webapps - Status changed to: Closed - Already Available

Shelley_Brennan — Mon, 12 Jul 2021 12:12:55 GMT

This capability was made available for Enterprise Manager in version 7 (Nov 2020) release. Please refer to the following: https://help.qlik.com/en-US/enterprise-manager/May2021/Content/Global_Common/Content/SharedEMReplicate/Security/setting_hsts.htm

idea Re: Enable HSTS for QEM and Replicate webapps - Status changed to: Closed - Already Available in Suggest an Idea

Enable HSTS for QEM and Replicate webapps

Re: Enable HSTS for QEM and Replicate webapps - Status changed to: Closed - Already Available