Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
gussfish
Creator II
Creator II

Disabling Server disclosure in the HTTP response header

Hi folks,

is there a way to configure the QlikView webserver so that it doesn't disclose server version information (e.g. "Server: Microsoft-HTTPAPI/1.0") in HTTP response headers?

Our security team have identified this as a vulnerability (albeit a low-likelihood one), so I need to at least check if this is possible.

Thanks,

Angus.

2 Replies
danielrozental
Master II
Master II

You could try using IIS, I bet it's easier to configure to handle that.

Not applicable

Hi Angus,

there is little benefit in hiding the server details in the response details. It's still possible to determine the WebServer by profiling the responses. If you still want to do this you can disable the header by setting a registry key

Remove Unwanted HTTP Response Headers - varunm - Site Home - MSDN Blogs

I'd suggest that you're better off enabling SSL, disabling the insecure protocols and making sure the host is patched.

On that front be aware that there is a critical bug in HTTP.sys that was published this week. Patch Now!

https://technet.microsoft.com/library/security/ms15-034

https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 (Also works for QVWS)

Cheers,

Philip