Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements

Breathe easy -- you now have more time to plan your next steps with Qlik!
QlikView 11.2 Extended Support is now valid through December 31, 2020. Click here for more information.

gussfish
Contributor II

Disabling Server disclosure in the HTTP response header

Hi folks,

is there a way to configure the QlikView webserver so that it doesn't disclose server version information (e.g. "Server: Microsoft-HTTPAPI/1.0") in HTTP response headers?

Our security team have identified this as a vulnerability (albeit a low-likelihood one), so I need to at least check if this is possible.

Thanks,

Angus.

2 Replies
danielrozental
Honored Contributor II

Re: Disabling Server disclosure in the HTTP response header

You could try using IIS, I bet it's easier to configure to handle that.

Not applicable

Re: Disabling Server disclosure in the HTTP response header

Hi Angus,

there is little benefit in hiding the server details in the response details. It's still possible to determine the WebServer by profiling the responses. If you still want to do this you can disable the header by setting a registry key

Remove Unwanted HTTP Response Headers - varunm - Site Home - MSDN Blogs

I'd suggest that you're better off enabling SSL, disabling the insecure protocols and making sure the host is patched.

On that front be aware that there is a critical bug in HTTP.sys that was published this week. Patch Now!

https://technet.microsoft.com/library/security/ms15-034

https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 (Also works for QVWS)

Cheers,

Philip