Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
New: No-code data prep in Qlik Cloud Analytics™ TAKE A TOUR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Rajashekar
Contributor III
Contributor III
‎2024-03-27 10:35 AM

'HSTS missing from HTTP' vulnerability (RFC 6797)

hi, to be HSTS compliance, I followed the steps in article below.

https://community.qlik.com/t5/Official-Support-Articles/HTTP-Strict-Transport-Security-HSTS-in-Qlik-...

this is working fine for port 443. but we are using other ports as well and HSTS is not compliance to those ports. 

How to make QS compliance to HSTS to all ports (at least port we use).

Can we mention ports in our header settings or in any other config files?

Strict-Transport-Security: max-age=31536000; includeSubDomains

 

And there is another article to Redirect HTTP to HTTPS in Qlik Sense on port 80. but I need for other ports as well. https://community.qlik.com/t5/Official-Support-Articles/How-to-Redirect-HTTP-to-HTTPS-in-Qlik-Sense/...

 

Appreciate your reply and any inputs. 

Thank you.

 

found some related article to understand issue:

https://www.tenable.com/plugins/nessus/142960

https://datatracker.ietf.org/doc/html/rfc6797

Labels (1)
Labels
3,191 Views
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee
‎2024-03-28 09:58 AM

In response to Rajashekar

Those are internal ports which only operate using HTTPS. The point of HSTS is to ensure use of HTTPS. If you cannot use HTTP, then it is irrelevant for HSTS to ensure HTTPS use.

View solution in original post

1 user say ditto
3,147 Views
4 Replies
Levi_Turner
Employee
Employee
‎2024-03-27 02:53 PM

What other ports are you concerned about? HSTS headers are used to enforce the user of HTTPS (as opposed to HTTP). Other than the optional HTTP port enabled by the Qlik Proxy Service (80 by default), no other port used by Qlik Sense uses HTTP.

3,169 Views
Rajashekar
Contributor III
Contributor III
‎2024-03-28 09:26 AM
Author

Hi @Levi_Turner , thank you for your prompt response.

ports 4242,4899, 4239 are still show "HSTS missing from HTTPS server" vulnerability (not compliant). not sure how to make these non vulnerable.

Appreciate your response. 

3,137 Views
Levi_Turner
Employee
Employee
‎2024-03-28 09:58 AM

In response to Rajashekar

Those are internal ports which only operate using HTTPS. The point of HSTS is to ensure use of HTTPS. If you cannot use HTTP, then it is irrelevant for HSTS to ensure HTTPS use.

1 user say ditto
3,148 Views
Aaron_Liu
Partner - Contributor III
Partner - Contributor III
‎2024-08-14 03:13 AM

In response to Levi_Turner

Hi Sir,

I has the same question too, I used another product that is Qlik Replicate.
Follow document step to enable HSTS, but the port 3552 still show vulnerability (RFC 6797) by Vulnerability Assessment product.

Please tell me how to solve it.
Thanks.

2,032 Views
0 Likes