Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi folks,
is there a way to configure the QlikView webserver so that it doesn't disclose server version information (e.g. "Server: Microsoft-HTTPAPI/1.0") in HTTP response headers?
Our security team have identified this as a vulnerability (albeit a low-likelihood one), so I need to at least check if this is possible.
Thanks,
Angus.
You could try using IIS, I bet it's easier to configure to handle that.
Hi Angus,
there is little benefit in hiding the server details in the response details. It's still possible to determine the WebServer by profiling the responses. If you still want to do this you can disable the header by setting a registry key
Remove Unwanted HTTP Response Headers - varunm - Site Home - MSDN Blogs
I'd suggest that you're better off enabling SSL, disabling the insecure protocols and making sure the host is patched.
On that front be aware that there is a critical bug in HTTP.sys that was published this week. Patch Now!
https://technet.microsoft.com/library/security/ms15-034
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 (Also works for QVWS)
Cheers,
Philip