Solved: 'HSTS missing from HTTP' vulnerability (RFC 6797) - Qlik Community

Rajashekar · ‎2024-03-27

hi, to be HSTS compliance, I followed the steps in article below.

https://community.qlik.com/t5/Official-Support-Articles/HTTP-Strict-Transport-Security-HSTS-in-Qlik-...

this is working fine for port 443. but we are using other ports as well and HSTS is not compliance to those ports.

How to make QS compliance to HSTS to all ports (at least port we use).

Can we mention ports in our header settings or in any other config files?

Strict-Transport-Security: max-age=31536000; includeSubDomains

And there is another article to Redirect HTTP to HTTPS in Qlik Sense on port 80. but I need for other ports as well. https://community.qlik.com/t5/Official-Support-Articles/How-to-Redirect-HTTP-to-HTTPS-in-Qlik-Sense/...

Appreciate your reply and any inputs.

Thank you.

found some related article to understand issue:

https://www.tenable.com/plugins/nessus/142960

https://datatracker.ietf.org/doc/html/rfc6797

Levi_Turner

Those are internal ports which only operate using HTTPS. The point of HSTS is to ensure use of HTTPS. If you cannot use HTTP, then it is irrelevant for HSTS to ensure HTTPS use.

View solution in original post

Levi_Turner · ‎2024-03-27

What other ports are you concerned about? HSTS headers are used to enforce the user of HTTPS (as opposed to HTTP). Other than the optional HTTP port enabled by the Qlik Proxy Service (80 by default), no other port used by Qlik Sense uses HTTP.

Rajashekar

Hi @Levi_Turner , thank you for your prompt response.

ports 4242,4899, 4239 are still show "HSTS missing from HTTPS server" vulnerability (not compliant). not sure how to make these non vulnerable.

Appreciate your response.

Levi_Turner

Those are internal ports which only operate using HTTPS. The point of HSTS is to ensure use of HTTPS. If you cannot use HTTP, then it is irrelevant for HSTS to ensure HTTPS use.

'HSTS missing from HTTP' vulnerability (RFC 6797)

General Question