Hello dear Qlik specialists!

We in company have no previous experience with Qlik Analytics Platform (QAP), yes it is same old Qlik Sense Enterprise with some limited and some added functionality, but still, there might be some differences in setting details and as problems we are experiencing with QAP, decided to ask someone of you, maybe you will have some ideas on problem described below.

Situation:

Penetration test on our QAP setup was performed (by external auditor) and security vulnerability issues were found on error handling.

Test case:

When making API call to host companywebaddress.com (*1 in picture) with GET method api/hub/v1/streams/  with knowingly added redundant specific symbols "%00" (*2 in picture) to the stream id, like some-long-and-complicated-stream-id%00, the error response of the call return internal host name SOMEHOSTNAME.dmzad.local with added port (*3 in picture), like

"Error requesting "https://SOMEHOSTNAME.dmzad.local:4242/qrs/stream/some-long-and-complicated-stream-id\u0000\" - TypeError ...".

Screenshot is attached to post, I guess this will make description of test case more clearer, sorry, addresses/names in screenshot hidden, of course. 🙂

Any idea how in the response output get companywebaddress.com instead of SOMEHOSTNAME.dmzad.local:4242?

Is this a QAP (Qlik Sense) setup/configuration issue, or this is how it is built and should work?

Thank you in advance.