topic Re: HSTS Missing From HTTPS Server on 404 Pages Despite Configuration in Qlik Replicate

HSTS Missing From HTTPS Server on 404 Pages Despite Configuration

EE_ — Mon, 07 Apr 2025 07:38:23 GMT

Dear Support Team,

A third-party security scan detects that HSTS is not enabled in Qlik Replicate, even though we have configured it according to the documentation provided here:
https://help.qlik.com/en-US/replicate/November2024/Content/Global_Common/Content/SharedEMReplicate/Security/setting_hsts.htm

Despite the correct setup, the scan still reports the following issue:

---
HSTS Missing From HTTPS Server (RFC 6797)
Plugin Output:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 22 Jan 2025 18:06:50 GMT
Connection: close
Content-Length: 315
---

Could you please advise how we can ensure that the HSTS header is also applied to 404 Not Found responses, so the security scan can pass successfully?

Thank you in advance for your assistance.

Re: HSTS Missing From HTTPS Server on 404 Pages Despite Configuration

DesmondWOO — Mon, 07 Apr 2025 09:00:51 GMT

Hi @EE_

Thank you for reaching out to the Qlik Community.

Please test using the following curl command:

curl -k -D- https://<hostname>/attunityreplicate/

If HSTS is enabled, you should see "Strict-Transport-Security" in the response. For example,

HTTP/1.1 307 Temporary Redirect
Cache-Control: no-cache
Content-Length: 0
Content-Type: text/html
Location: https://yourhost/attunityreplicate/login/
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains;
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: Replicate.Redirect=/attunityreplicate/; Path=/attunityreplicate; HttpOnly; Secure; SameSite=Lax
Date: Mon, 07 Apr 2025 08:53:46 GMT

Regards,
Desmond

Re: HSTS Missing From HTTPS Server on 404 Pages Despite Configuration

EE_ — Mon, 14 Apr 2025 01:38:12 GMT

Hi @DesmondWOO
We would like to clarify the behavior of the HSTS configuration previously provided.

May we confirm whether the HSTS setting only applies to routes under https://<hostname>/attunityreplicate/?
When we try to access https://hostname directly, it returns:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 10 Apr 2025 06:41:46 GMT
Connection: close
Content-Length: 315

As our vulnerability scanning tool (Tenable Nessus) accesses the root domain and checks for the HSTS header there, it currently flags this as HSTS Missing From HTTPS Server (RFC 6797).

Is there a way to configure Qlik Replicate to include the HSTS header even in 404 responses from the root domain?

Thank you.

Re: HSTS Missing From HTTPS Server on 404 Pages Despite Configuration

R2JOE — Fri, 01 Aug 2025 03:10:47 GMT

Hello @EY_, I have the same problem. Have you solved it? Thank you.

Re: HSTS Missing From HTTPS Server on 404 Pages Despite Configuration

DesmondWOO — Thu, 07 Aug 2025 04:08:37 GMT

Hi @R2JOE ,

This is an OS level issue - Replicate and QEM use a Windows subsystem called HTTP.SYS which allows multiple applications to be served on the same port 443.

When some client connects to the machine, the GET/PUT/POST/etc. request reaches HTTP.SYS and based on the request path, it is directed to the specific application. Thus, if the path is to the Qlik application (Replicate or QEM), it is being called and can return the required HSTS header.

Request paths to other applications (see the result of “netsh http show urlacl” for what other services that are serving HTTP(S) on this machine) will rely on what they ae designed to return (outside of Qlik’s control). If no match is made, the HTTP.SYS will return its own response (also outside of Qlik’s control).

In any case once a single application return HSTS, that host will always be contacted in HTTPS, and Replicate/QEM will never serve over HTTP.

Regards,
Desmond