QlikView HSTS (HTTP Strict-Transport-Security response header)

Sonja_Bauernfeind — Fri, 23 Feb 2024 13:37:20 GMT

HSTS (HTTP Strict-Transport-Security response header) security check failed.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.

Resolution

Before adding HSTS to either the QlikView AccessPoint or the QlikView Management Console (QMC), set both up to use HTTPS. See for QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate instructions.

HSTS for the QlikView AccessPoint

Custom response headers can be set in both the QlikView WebServer (beginning with 12.30) and Microsoft IIS (all QlikView versions).

The custom header needed for HSTS is: Strict-Transport-Security

Run text editor (e.g. Notepad) as Administrator
Edit QlikView WebServer configurations file. The default path is C:\ProgramData\QlikTech\WebServer\config.xml
Locate CustomHeaders element within the config file. For more information, see QlikView WebServer: Custom HTTP Header.
Add custom response header as <Header> element(s) with sub-elements defining Strict-Transport-Security as the name and your desired max-age= as value.

Example:
<Config> ... <Web> ... <CustomHeaders> <Header> <Name>Strict-Transport-Security</Name> <Value>max-age=31536000</Value> </Header> </CustomHeaders> </Web> </Config>
Restart QlikView WebServer service

For information on how to configure custom headers with Microsoft IIS, see Setting Custom HTTP Headers in IIS for QlikView. The site https://https.cio.gov/hsts/ gives information on how to setup the webserver to enable HSTS.

Testing can be achieved using any number of third party sites, such as:

HSTS for the QlikView Management Console (QMC)

This setting was introduced with QlikView 12.70 (May 2022) SR1.

QVManagementService.exe.Config Changes:

Stop the QlikView Management Services
Go to ProgramFiles => qliktech => management service => open QVManagementService.exe.config using an administrator notepad
Update this value to true =>

<add key="UseHSTS" value="true" />
To enable HSTS to header this value has to be set to true

<add key="UseHTTPS" value="true" />

Environment:

Re: QlikView HSTS (HTTP Strict-Transport-Security response header)

c_grigoriadis — Tue, 09 Apr 2024 12:24:14 GMT

Hi @Sonja_Bauernfeind . We have followed the instructions regarding the HSTS for the QlikView Management Console (QMC) but it seems that QMC is still exposed. Is there anything else we should do.

Thank you in advance.

Re: QlikView HSTS (HTTP Strict-Transport-Security response header)

Sonja_Bauernfeind — Thu, 11 Apr 2024 11:25:27 GMT

Hello @c_grigoriadis

These are the only settings that should be required. I recommend you post about the challenge you are facing in our QlikView Administration forum, where our active support engineers and your knowledgeable Qlik peers can better assist you.

All the best,
Sonja

article QlikView HSTS (HTTP Strict-Transport-Security response header) in Official Support Articles

QlikView HSTS (HTTP Strict-Transport-Security response header)

Resolution

HSTS for the QlikView AccessPoint

HSTS for the QlikView Management Console (QMC)

Environment:

Re: QlikView HSTS (HTTP Strict-Transport-Security response header)

Re: QlikView HSTS (HTTP Strict-Transport-Security response header)