HTTP Strict Transport Security (HSTS) in Qlik Sense

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement which any web application can support through the use of a special response header. When a supported browser receives this header that browser will prevent any communication sent over HTTP in the future and will redirect all traffic over HTTPS instead. 

More details about HSTS can be found on https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

Resolution

In Qlik Sense, one can add additional HTTP response headers in the Virtual Proxy configuration to enforce HSTS

1. Open the Qlik Sense QMC
2. In the CONFIGURATION SYSTEM section,  click on Virtual Proxies
3. Select the Virtual Proxy profile for user access and click on Edit
4. Go to the Advanced section and in the field "Additional response headers" 
5. Enter the HSTS configuration setting applicable to your environment. i.e  Strict-Transport-Security: max-age=31536000;includeSubDomains;Preload
   
   
   
   
6. HTTP to HTTPS must be enabled.

For additional information about HTTP to HTTPS redirects, see

• How to: Redirect HTTP to HTTPS in Qlik Sense
• Qlik Community: Qlik Sense redirect HTTP to HTTPS
• and feature request Sense Initial URL redirect to /hub (http)

Sites to Confirm HSTS setup

• https://hstspreload.org/
• https://tools.geekflare.com/hsts-test
• https://dev.ssllabs.com/ssltest/
• https://nvisium.com/blog/2014/04/25/is-your-site-hsts-enabled.html

Gov Site on HSTS  https://https.cio.gov/hsts/

Note: Qlik does NOT support the configuration or implementation of non-Qlik or Operating System related software. The above suggestion is an introduction to this topic, and if it does not work in your particular environment then please reach out internally to your IT team. If you need direct assistance, please contact your Account Owner to discuss purchasing Consulting Services. (see How to Contact the Consulting Team?)

Environment:

Qlik Sense Enterprise on Windows