https://community.qlik.com/t5/Official-Support-Articles/QlikView-WebServer-Custom-HTTP-Header/ta-p/1712716 <P>The QlikView WebServer (QVWS) supports custom HTTP response headers as of release 12.30.&nbsp;</P> <P>Custom response headers are defined in <FONT face="courier new,courier">QVWS config.xml</FONT> file.</P> <P>Note that for QlikView deployments using IIS as a web server, custom HTTP headers must be configured in IIS.&nbsp;</P> <P>An example use case for this is the introduction of HTTP headers preventing any possible <A href="https://en.wikipedia.org/wiki/Clickjacking" target="_blank" rel="noopener">ClickJacking</A> vulnerabilities.&nbsp;<SPAN>This type of attack is mitigated by adding an&nbsp;<STRONG>X-Frame-Options</STRONG> HTTP response header, which can be used to indicate whether or not a browser should be allowed to render a page in a &lt;frame&gt;, &lt;iframe&gt; or &lt;object&gt;. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. For more information on X-Frame-Options, see, for example,&nbsp;<A href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" target="_blank" rel="noopener">X-Frame-Options (Mozilla)</A>.</SPAN></P> <H4><FONT color="#339966"><STRONG>Environment:</STRONG></FONT></H4> <P class="lia-indent-padding-left-30px"><LI-PRODUCT title="QlikView" id="qlikView"></LI-PRODUCT>&nbsp;(12.30 and later)</P> <H3><FONT color="#339966"><STRONG>Resolution:</STRONG></FONT></H3> <H4><FONT color="#339966"><STRONG>Configure Custom Headers&nbsp;</STRONG></FONT></H4> <OL> <LI>Run text editor (e.g. Notepad) as Administrator&nbsp;</LI> <LI>Edit QlikView WebServer configurations file.&nbsp;Default path;&nbsp;C:\ProgramData\QlikTech\WebServer\config.xml</LI> <LI>Locate&nbsp;CustomHeaders&nbsp;element within the config file</LI> <LI>Replace empty element <STRONG>&lt;CustomHeaders /&gt;</STRONG>&nbsp;with open and closed elements <STRONG>&lt;CustomHeaders&gt;&lt;/CustomHeaders&gt;</STRONG>&nbsp;if needed.&nbsp; <PRE class="ckeditor_codeblock">&lt;Config&gt; ... &lt;Web&gt; <STRONG> &lt;CustomHeaders&gt; </STRONG>&nbsp; ...<STRONG> &lt;/CustomHeaders&gt; </STRONG> &lt;/Web&gt; &lt;/Config&gt;</PRE> </LI> <LI>&nbsp;Add custom response header as &lt;Header&gt; element(s) with sub-elements defining the desired header name and value.&nbsp; <PRE class="ckeditor_codeblock">&lt;Config&gt; ... &lt;Web&gt; &nbsp; ... &lt;CustomHeaders&gt; &lt;Header&gt;&nbsp;&nbsp; &nbsp; &lt;Name&gt;Header1&lt;/Name&gt; &lt;Value&gt;Value1&lt;/Value&gt; &lt;/Header&gt; &lt;Header&gt;&nbsp;&nbsp; &nbsp; &lt;Name&gt;Header2&lt;/Name&gt; &lt;Value&gt;Value2&lt;/Value&gt; &lt;/Header&gt; &lt;/CustomHeaders&gt; &lt;/Web&gt; &lt;/Config&gt; </PRE> </LI> <LI>Restart QlikView WebServer service</LI> </OL> <H4><FONT color="#339966"><STRONG>Validate custom headers</STRONG></FONT></H4> <OL start="7"> <LI>Open browser</LI> <LI>Enable browser developer tools</LI> <LI>Open QlikView AccessPoint</LI> <LI>Validate in HTTP response header that custom header has been set<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="verify custom headers in debug tools.png" style="width: 555px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/60054iC25F9988EF3828FF/image-size/large?v=v2&amp;px=999" role="button" title="verify custom headers in debug tools.png" alt="verify custom headers in debug tools.png" /></span></LI> </OL> Wed, 20 Mar 2024 15:26:18 GMT ToniKautto 2024-03-20T15:26:18Z https://community.qlik.com/t5/Official-Support-Articles/QlikView-WebServer-Custom-HTTP-Header/ta-p/1712716 <P>The QlikView WebServer (QVWS) supports custom HTTP response headers as of release 12.30.&nbsp;</P> <P>Custom response headers are defined in <FONT face="courier new,courier">QVWS config.xml</FONT> file.</P> <P>Note that for QlikView deployments using IIS as a web server, custom HTTP headers must be configured in IIS.&nbsp;</P> <P>An example use case for this is the introduction of HTTP headers preventing any possible <A href="https://en.wikipedia.org/wiki/Clickjacking" target="_blank" rel="noopener">ClickJacking</A> vulnerabilities.&nbsp;<SPAN>This type of attack is mitigated by adding an&nbsp;<STRONG>X-Frame-Options</STRONG> HTTP response header, which can be used to indicate whether or not a browser should be allowed to render a page in a &lt;frame&gt;, &lt;iframe&gt; or &lt;object&gt;. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. For more information on X-Frame-Options, see, for example,&nbsp;<A href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" target="_blank" rel="noopener">X-Frame-Options (Mozilla)</A>.</SPAN></P> <H4><FONT color="#339966"><STRONG>Environment:</STRONG></FONT></H4> <P class="lia-indent-padding-left-30px"><LI-PRODUCT title="QlikView" id="qlikView"></LI-PRODUCT>&nbsp;(12.30 and later)</P> <H3><FONT color="#339966"><STRONG>Resolution:</STRONG></FONT></H3> <H4><FONT color="#339966"><STRONG>Configure Custom Headers&nbsp;</STRONG></FONT></H4> <OL> <LI>Run text editor (e.g. Notepad) as Administrator&nbsp;</LI> <LI>Edit QlikView WebServer configurations file.&nbsp;Default path;&nbsp;C:\ProgramData\QlikTech\WebServer\config.xml</LI> <LI>Locate&nbsp;CustomHeaders&nbsp;element within the config file</LI> <LI>Replace empty element <STRONG>&lt;CustomHeaders /&gt;</STRONG>&nbsp;with open and closed elements <STRONG>&lt;CustomHeaders&gt;&lt;/CustomHeaders&gt;</STRONG>&nbsp;if needed.&nbsp; <PRE class="ckeditor_codeblock">&lt;Config&gt; ... &lt;Web&gt; <STRONG> &lt;CustomHeaders&gt; </STRONG>&nbsp; ...<STRONG> &lt;/CustomHeaders&gt; </STRONG> &lt;/Web&gt; &lt;/Config&gt;</PRE> </LI> <LI>&nbsp;Add custom response header as &lt;Header&gt; element(s) with sub-elements defining the desired header name and value.&nbsp; <PRE class="ckeditor_codeblock">&lt;Config&gt; ... &lt;Web&gt; &nbsp; ... &lt;CustomHeaders&gt; &lt;Header&gt;&nbsp;&nbsp; &nbsp; &lt;Name&gt;Header1&lt;/Name&gt; &lt;Value&gt;Value1&lt;/Value&gt; &lt;/Header&gt; &lt;Header&gt;&nbsp;&nbsp; &nbsp; &lt;Name&gt;Header2&lt;/Name&gt; &lt;Value&gt;Value2&lt;/Value&gt; &lt;/Header&gt; &lt;/CustomHeaders&gt; &lt;/Web&gt; &lt;/Config&gt; </PRE> </LI> <LI>Restart QlikView WebServer service</LI> </OL> <H4><FONT color="#339966"><STRONG>Validate custom headers</STRONG></FONT></H4> <OL start="7"> <LI>Open browser</LI> <LI>Enable browser developer tools</LI> <LI>Open QlikView AccessPoint</LI> <LI>Validate in HTTP response header that custom header has been set<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="verify custom headers in debug tools.png" style="width: 555px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/60054iC25F9988EF3828FF/image-size/large?v=v2&amp;px=999" role="button" title="verify custom headers in debug tools.png" alt="verify custom headers in debug tools.png" /></span></LI> </OL> Wed, 20 Mar 2024 15:26:18 GMT https://community.qlik.com/t5/Official-Support-Articles/QlikView-WebServer-Custom-HTTP-Header/ta-p/1712716 ToniKautto 2024-03-20T15:26:18Z