Qlik Community

Qlik Architecture Deep Dive Blog

Deep dives into specific back-end technologies which allow for the extension of Qlik to fit the needs of the enterprise.

Employee
Employee

HSTS - HTTP Strict Transport Security

The HSTS standard at its root is to ensure clients always connect to a website over https. While this sounds like a very good idea and something that you might want. Caution needs to be taken as it might block HTTP access to certain pages that actually requires it or needs to be excluded from this.

This is all configured in a response header, and here are two examples:

Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000; includeSubDomains

When testing this, make sure to set a short max-date in case you make a mistake. When you have tested that it works as it should, you can increase the value to 1 year (max-age: 31536000) or 6 months (max-age: 15768000). Max-age is defined in seconds. As you can see, the difference between these examples is the includeSubDomaindirective which blocks all HTTP traffic in the domain, so confirm with your IT/security teams before using it.

There is also a possibility to send a preload directive, but there are further implications of doing that. Read more online before deciding to enable it, and again advise with all areas involved in your organization.

That all said, to enable this in Qlik Sense Enterprise on Windows is relatively simple. First, you need to enable 'Allow HTTP' in the proxy settings.

Proxy Settings

 

Next, you will want to choose the virtual proxy that you want the HSTS standard to be set on, and goto the 'Advanced' section of that specific virtual proxy. You will want to add the header:

Strict-Transport-Security: max-age=31536000; includeSubDomains

It should look like the following:

Virtual Proxy Settings

 

Once this is done, you should be able to goto http://qlikServerHost/qmc (in my case because I added this to my default virtual proxy), and you should use a secure connection.

More info here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Tags (1)