https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435318#M26906 <P>What other ports are you concerned about? HSTS headers are used to enforce the user of HTTPS (as opposed to HTTP). Other than the optional HTTP port enabled by the Qlik Proxy Service (80 by default), no other port used by Qlik Sense uses HTTP.</P> Wed, 27 Mar 2024 18:53:39 GMT Levi_Turner 2024-03-27T18:53:39Z https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435226#M26903 <P>hi, to be HSTS compliance, I followed the steps in article below.</P> <P><A href="https://community.qlik.com/t5/Official-Support-Articles/HTTP-Strict-Transport-Security-HSTS-in-Qlik-Sense/ta-p/1711505" target="_blank" rel="noopener">https://community.qlik.com/t5/Official-Support-Articles/HTTP-Strict-Transport-Security-HSTS-in-Qlik-Sense/ta-p/1711505</A></P> <P>this is working fine for port 443. but we are using other ports as well and HSTS is not compliance to those ports.&nbsp;</P> <P>How to make QS compliance to HSTS to all ports (at least port we use).</P> <P>Can we mention ports in our header settings or in any other config files?</P> <P><EM>Strict-Transport-Security:&nbsp;max-age=31536000;&nbsp;includeSubDomains</EM></P> <P>&nbsp;</P> <P>And there is another article to <SPAN>Redirect HTTP to HTTPS in Qlik Sense</SPAN> on port 80. but I need for other ports as well.&nbsp;<A href="https://community.qlik.com/t5/Official-Support-Articles/How-to-Redirect-HTTP-to-HTTPS-in-Qlik-Sense/tac-p/2433345#M13568" target="_blank" rel="noopener">https://community.qlik.com/t5/Official-Support-Articles/How-to-Redirect-HTTP-to-HTTPS-in-Qlik-Sense/tac-p/2433345#M13568</A></P> <P>&nbsp;</P> <P>Appreciate your reply and any inputs.&nbsp;</P> <P>Thank you.</P> <P>&nbsp;</P> <P>found some related article to understand issue:</P> <P><A href="https://www.tenable.com/plugins/nessus/142960" target="_blank" rel="noopener">https://www.tenable.com/plugins/nessus/142960</A></P> <P><A href="https://datatracker.ietf.org/doc/html/rfc6797" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc6797</A></P> Wed, 27 Mar 2024 14:35:56 GMT https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435226#M26903 Rajashekar 2024-03-27T14:35:56Z https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435318#M26906 <P>What other ports are you concerned about? HSTS headers are used to enforce the user of HTTPS (as opposed to HTTP). Other than the optional HTTP port enabled by the Qlik Proxy Service (80 by default), no other port used by Qlik Sense uses HTTP.</P> Wed, 27 Mar 2024 18:53:39 GMT https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435318#M26906 Levi_Turner 2024-03-27T18:53:39Z https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435638#M26911 <P>Hi&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/47469">@Levi_Turner</a>&nbsp;, thank you for your prompt response.</P> <P>ports 4242,4899, 4239 are still show "HSTS missing from HTTPS server" vulnerability (not compliant). not sure how to make these non vulnerable.</P> <P>Appreciate your response.&nbsp;</P> Thu, 28 Mar 2024 13:26:04 GMT https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435638#M26911 Rajashekar 2024-03-28T13:26:04Z https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435653#M26913 <P>Those are internal ports which only operate using HTTPS. The point of HSTS is to ensure use of HTTPS. If you cannot use HTTP, then it is irrelevant for HSTS to ensure HTTPS use.</P> Thu, 28 Mar 2024 13:58:09 GMT https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2435653#M26913 Levi_Turner 2024-03-28T13:58:09Z https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2476200#M27818 <P>Hi Sir,</P> <P>I has the same question too, I used another product that is Qlik Replicate.<BR />Follow document step to enable HSTS, but the port 3552 still show vulnerability (RFC 6797) by Vulnerability Assessment product.</P> <P>Please tell me how to solve it.<BR />Thanks.</P> Wed, 14 Aug 2024 07:13:38 GMT https://community.qlik.com/t5/Management-Governance/HSTS-missing-from-HTTP-vulnerability-RFC-6797/m-p/2476200#M27818 Aaron_Liu 2024-08-14T07:13:38Z