https://community.qlik.com/t5/Official-Support-Articles/Disabling-Server-Header/ta-p/1716182 <P>It is important to suppress as much information as possible from any potentially harmful user.</P> <P>The server contains information identifying the technology being used and version numbers. This is not desirable because it increases the attack surface and could allow a malicious user to perform a spearheaded attack.&nbsp;</P> <P>&nbsp;</P> <H4><FONT color="#339966"><STRONG>Environment:</STRONG></FONT></H4> <P class="lia-indent-padding-left-30px"><LI-PRODUCT title="QlikView" id="qlikView"></LI-PRODUCT>&nbsp;<BR /><LI-PRODUCT title="Qlik Sense Enterprise on Windows" id="qlikSenseEnterpriseWindows"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <P><BR /><SPAN style="font-size: 11.0pt;">On Windows, whether that is server edition or regular, it is not very clear as to how to disable this header. These instructions aim to clarify and demonstrate how it could be done on either edition. Without disabling the header, the server gives information away regarding the technology it is utilizing, as seen below.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Server header with information disclosure" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64000iBEF78DF2196C4DE2/image-size/medium?v=v2&amp;px=400" role="button" title="Response Raw Server version displayed.png" alt="Server header with information disclosure" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Server header with information disclosure</span></span><BR /><BR /><BR /></P> <H3 class="qlik-migrated-tkb-headings"><STRONG><FONT color="#339966">Resolution:</FONT></STRONG></H3> <P><BR />In order to stop the server from handing out information regarding the technology it is utilizing, we need to disable the “Server” header. This could be achieved in a number of ways. Instances running IIS could utilize “URLScan” or “Custom HTTP Rules”.&nbsp; However, this is not a universal solution and in the case of URLScan, it is required to install an add-on to IIS. As a result, the following method will only target the HTTP service which works on any version of Windows.<BR />&nbsp;</P> <OL> <LI>Open up “regedit.exe” (Run as Administrator) and navigate to:<BR /><BR />HKLM\System\CurrentControlSet\Services\HTTP\Parameters<BR /><BR /></LI> <LI>Create a DWORD entry. <OL class="lia-list-style-type-lower-alpha"> <LI>Right-click on the whitespace</LI> <LI>New</LI> <LI>DWORD (32-bit) Value</LI> <LI>Rename the new entry to “DisableServerHeader”</LI> <LI>Set its value to 2</LI> <LI>Hit “OK”.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Creating a DWORD entry for “DisableServerHeader”" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64001iDF9B76390E7C1F85/image-size/large?v=v2&amp;px=999" role="button" title="Dword new.png" alt="Creating a DWORD entry for “DisableServerHeader”" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Creating a DWORD entry for “DisableServerHeader”</span></span><BR /><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Setting the value of DisableServerHeader to 2" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64002i63BA2FDE1CF18C8A/image-size/medium?v=v2&amp;px=400" role="button" title="value data.png" alt="Setting the value of DisableServerHeader to 2" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Setting the value of DisableServerHeader to 2</span></span><BR /><BR /></LI> </OL> </LI> <LI><SPAN style="font-family: inherit;">In order for this to take effect, it is required to reset the “http” service.&nbsp;&nbsp;<BR /><BR /></SPAN><I>Warning: This will make your web services relying on HTTP unresponsive.<BR /><BR /></I> <OL class="lia-list-style-type-lower-alpha"> <LI>Open CMD (or PS) as administrator and run the following:&nbsp;<BR /><LI-CODE lang="cpp">net stop HTTP net start HTTP​</LI-CODE></LI> <LI>If the above method fails, reboot the system.<BR /><BR /></LI> </OL> </LI> <LI>Once the service has been restarted successfully, the response header from the server should now look similar to this:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="No Server Header in the HTTP response" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64003i35225046EC28E6B5/image-size/medium?v=v2&amp;px=400" role="button" title="no server http header in http response.png" alt="No Server Header in the HTTP response" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">No Server Header in the HTTP response</span></span></LI> </OL> <P><BR /><BR /><BR />&nbsp;</P> Tue, 12 Oct 2021 12:21:19 GMT Sonja_Bauernfeind 2021-10-12T12:21:19Z https://community.qlik.com/t5/Official-Support-Articles/Disabling-Server-Header/ta-p/1716182 <P>It is important to suppress as much information as possible from any potentially harmful user.</P> <P>The server contains information identifying the technology being used and version numbers. This is not desirable because it increases the attack surface and could allow a malicious user to perform a spearheaded attack.&nbsp;</P> <P>&nbsp;</P> <H4><FONT color="#339966"><STRONG>Environment:</STRONG></FONT></H4> <P class="lia-indent-padding-left-30px"><LI-PRODUCT title="QlikView" id="qlikView"></LI-PRODUCT>&nbsp;<BR /><LI-PRODUCT title="Qlik Sense Enterprise on Windows" id="qlikSenseEnterpriseWindows"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <P><BR /><SPAN style="font-size: 11.0pt;">On Windows, whether that is server edition or regular, it is not very clear as to how to disable this header. These instructions aim to clarify and demonstrate how it could be done on either edition. Without disabling the header, the server gives information away regarding the technology it is utilizing, as seen below.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Server header with information disclosure" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64000iBEF78DF2196C4DE2/image-size/medium?v=v2&amp;px=400" role="button" title="Response Raw Server version displayed.png" alt="Server header with information disclosure" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Server header with information disclosure</span></span><BR /><BR /><BR /></P> <H3 class="qlik-migrated-tkb-headings"><STRONG><FONT color="#339966">Resolution:</FONT></STRONG></H3> <P><BR />In order to stop the server from handing out information regarding the technology it is utilizing, we need to disable the “Server” header. This could be achieved in a number of ways. Instances running IIS could utilize “URLScan” or “Custom HTTP Rules”.&nbsp; However, this is not a universal solution and in the case of URLScan, it is required to install an add-on to IIS. As a result, the following method will only target the HTTP service which works on any version of Windows.<BR />&nbsp;</P> <OL> <LI>Open up “regedit.exe” (Run as Administrator) and navigate to:<BR /><BR />HKLM\System\CurrentControlSet\Services\HTTP\Parameters<BR /><BR /></LI> <LI>Create a DWORD entry. <OL class="lia-list-style-type-lower-alpha"> <LI>Right-click on the whitespace</LI> <LI>New</LI> <LI>DWORD (32-bit) Value</LI> <LI>Rename the new entry to “DisableServerHeader”</LI> <LI>Set its value to 2</LI> <LI>Hit “OK”.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Creating a DWORD entry for “DisableServerHeader”" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64001iDF9B76390E7C1F85/image-size/large?v=v2&amp;px=999" role="button" title="Dword new.png" alt="Creating a DWORD entry for “DisableServerHeader”" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Creating a DWORD entry for “DisableServerHeader”</span></span><BR /><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Setting the value of DisableServerHeader to 2" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64002i63BA2FDE1CF18C8A/image-size/medium?v=v2&amp;px=400" role="button" title="value data.png" alt="Setting the value of DisableServerHeader to 2" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Setting the value of DisableServerHeader to 2</span></span><BR /><BR /></LI> </OL> </LI> <LI><SPAN style="font-family: inherit;">In order for this to take effect, it is required to reset the “http” service.&nbsp;&nbsp;<BR /><BR /></SPAN><I>Warning: This will make your web services relying on HTTP unresponsive.<BR /><BR /></I> <OL class="lia-list-style-type-lower-alpha"> <LI>Open CMD (or PS) as administrator and run the following:&nbsp;<BR /><LI-CODE lang="cpp">net stop HTTP net start HTTP​</LI-CODE></LI> <LI>If the above method fails, reboot the system.<BR /><BR /></LI> </OL> </LI> <LI>Once the service has been restarted successfully, the response header from the server should now look similar to this:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="No Server Header in the HTTP response" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/64003i35225046EC28E6B5/image-size/medium?v=v2&amp;px=400" role="button" title="no server http header in http response.png" alt="No Server Header in the HTTP response" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">No Server Header in the HTTP response</span></span></LI> </OL> <P><BR /><BR /><BR />&nbsp;</P> Tue, 12 Oct 2021 12:21:19 GMT https://community.qlik.com/t5/Official-Support-Articles/Disabling-Server-Header/ta-p/1716182 Sonja_Bauernfeind 2021-10-12T12:21:19Z