Skip to main content
July 15, NEW Customer Portal: Initial launch will improve how you submit Support Cases. READ MORE

QlikView HSTS (HTTP Strict-Transport-Security response header)

No ratings
Showing results for 
Search instead for 
Did you mean: 
Digital Support
Digital Support

QlikView HSTS (HTTP Strict-Transport-Security response header)

Last Update:

Feb 23, 2024 8:37:20 AM

Updated By:


Created date:

Jul 29, 2019 11:36:37 AM

HSTS (HTTP Strict-Transport-Security response header) security check failed.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.


Before adding HSTS to either the QlikView AccessPoint or the QlikView Management Console (QMC), set both up to use HTTPS. See for QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate instructions.


HSTS for the QlikView AccessPoint

Custom response headers can be set in both the QlikView WebServer (beginning with 12.30) and Microsoft IIS (all QlikView versions).

The custom header needed for HSTS is: Strict-Transport-Security

  1. Run text editor (e.g. Notepad) as Administrator 

  2. Edit QlikView WebServer configurations file. The default path is C:\ProgramData\QlikTech\WebServer\config.xml

  3. Locate CustomHeaders element within the config file. For more information, see QlikView WebServer: Custom HTTP Header.

  4. Add custom response header as <Header> element(s) with sub-elements defining Strict-Transport-Security as the name and your desired max-age= as value.

  5. Restart QlikView WebServer service

For information on how to configure custom headers with Microsoft IIS, see Setting Custom HTTP Headers in IIS for QlikView. The site gives information on how to setup the webserver to enable HSTS.

Testing can be achieved using any number of third party sites, such as: 


HSTS for the QlikView Management Console (QMC)

This setting was introduced with QlikView 12.70 (May 2022) SR1.

QVManagementService.exe.Config Changes:

  1. Stop the QlikView Management Services

  2. Go to ProgramFiles => qliktech => management service => open QVManagementService.exe.config using an administrator notepad

  3. Update this value to true =>

    <add key="UseHSTS" value="true" />

  4. To enable HSTS to header this value has to be set to true

    <add key="UseHTTPS" value="true" />






Labels (2)
Partner - Contributor II
Partner - Contributor II

Hi @Sonja_Bauernfeind . We have followed the instructions regarding the HSTS for the QlikView Management Console (QMC) but it seems that QMC is still exposed. Is there anything else we should do. 

Thank you in advance.

Digital Support
Digital Support

Hello @c_grigoriadis 

These are the only settings that should be required. I recommend you post about the challenge you are facing in our QlikView Administration forum, where our active support engineers and your knowledgeable Qlik peers can better assist you.

All the best,

Version history
Last update:
‎2024-02-23 08:37 AM
Updated by: