Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
fkeuroglian
Partner - Master
Partner - Master

Vulnerabilty in HSTS QlikSense

Hi experts! how are you?

One client from auditory send me that there are one vulnerabilty in the QlikSense Server and send me this details:

The said that then have problem with the HEADER HSTS:

| http-security-headers: 

|   Strict_Transport_Security: 

|     HSTS not configured in HTTPS Server

|   Cache_Control: 

|_    Header: Cache-Control: no-cache

 

I found this article that said how we can modify the HSTS(link)

Someone have any other idea to control this?

 

Thanks a lot

Labels (2)
5 Replies
Levi_Turner
Employee
Employee

I don't follow. If the issue is that the response header doesn't have HSTS defined then why doesn't that article fit? That's the route to edit any arbitrary HTTP header inside of Qlik Sense.

fkeuroglian
Partner - Master
Partner - Master
Author

Levi how are you?

I do not have any experiencia dealing with the HSTS, the title of the article said "HTTP Strict Transport Security (HSTS) in Qlik Sense" 

Because of that i asume that it is the way to change it, but clearly or pherhaps it isnt?

Change the question, what is the correct form to defined the HSTS in qliksense?

Thanks a lot for your time Levi

Fernando

Levi_Turner
Employee
Employee

What do you mean it isn't being sent? This is it in my environment:

headers.png

 

Giuseppe_Novello

Hope you doing well, to answer you question:" What is the correct form to defined the HSTS in qliksense?". Well basically following the steps that the article provides? or is there anything else missing that we ( Levi) and I aren't getting? if you do, then please provide more clarity.

 

BR

Gio

Giuseppe Novello
Principal Technical Support Engineer @ Qlik
tlourenco
Partner - Contributor
Partner - Contributor

Hello all, 

 

Did you find an answer to that Cache-control situation?

Ive tried adding it to the virtual proxy response header, but keep having it wrong...

Anyone knows the answer?

Kind regards.