Vulnerabilty in HSTS QlikSense - Qlik Community

fkeuroglian · ‎2019-07-29

Hi experts! how are you?

One client from auditory send me that there are one vulnerabilty in the QlikSense Server and send me this details:

The said that then have problem with the HEADER HSTS:

| http-security-headers:

| Strict_Transport_Security:

| HSTS not configured in HTTPS Server

| Cache_Control:

|_ Header: Cache-Control: no-cache

I found this article that said how we can modify the HSTS(link)

Someone have any other idea to control this?

Thanks a lot

Levi_Turner · ‎2019-07-29

I don't follow. If the issue is that the response header doesn't have HSTS defined then why doesn't that article fit? That's the route to edit any arbitrary HTTP header inside of Qlik Sense.

fkeuroglian · ‎2019-07-29

Levi how are you?

I do not have any experiencia dealing with the HSTS, the title of the article said "HTTP Strict Transport Security (HSTS) in Qlik Sense"

Because of that i asume that it is the way to change it, but clearly or pherhaps it isnt?

Change the question, what is the correct form to defined the HSTS in qliksense?

Thanks a lot for your time Levi

Fernando

Levi_Turner · ‎2019-07-30

What do you mean it isn't being sent? This is it in my environment:

Giuseppe_Novello · ‎2019-07-31

Hope you doing well, to answer you question:" What is the correct form to defined the HSTS in qliksense?". Well basically following the steps that the article provides? or is there anything else missing that we ( Levi) and I aren't getting? if you do, then please provide more clarity.

BR

Gio

Giuseppe Novello
Principal Technical Support Engineer @ Qlik

tlourenco · ‎2020-06-11

Hello all,

Did you find an answer to that Cache-control situation?

Ive tried adding it to the virtual proxy response header, but keep having it wrong...

Anyone knows the answer?

Kind regards.