Hi @DesmondWOO We would like to clarify the behavior of the HSTS configuration previously provided.
May we confirm whether the HSTS setting only applies to routes under https://<hostname>/attunityreplicate/? When we try to access https://hostname directly, it returns: HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 10 Apr 2025 06:41:46 GMT Connection: close Content-Length: 315
As our vulnerability scanning tool (Tenable Nessus) accesses the root domain and checks for the HSTS header there, it currently flags this as HSTS Missing From HTTPS Server (RFC 6797).
Is there a way to configure Qlik Replicate to include the HSTS header even in 404 responses from the root domain?
This is an OS level issue - Replicate and QEM use a Windows subsystem called HTTP.SYS which allows multiple applications to be served on the same port 443.
When some client connects to the machine, the GET/PUT/POST/etc. request reaches HTTP.SYS and based on the request path, it is directed to the specific application. Thus, if the path is to the Qlik application (Replicate or QEM), it is being called and can return the required HSTS header.
Request paths to other applications (see the result of “netsh http show urlacl” for what other services that are serving HTTP(S) on this machine) will rely on what they ae designed to return (outside of Qlik’s control). If no match is made, the HTTP.SYS will return its own response (also outside of Qlik’s control).
In any case once a single application return HSTS, that host will always be contacted in HTTPS, and Replicate/QEM will never serve over HTTP.
Regards, Desmond
Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!
