Configuring HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) lets your web servers declare that web browsers can only interact with them using secure HTTPS connections. This helps protect against protocol downgrade attacks and cookie hijacking.

The server communicates this to the user agent via an HTTPS response header field named "Strict-Transport-Security". It can be enabled in the proxy configuration files. You can also specify how long these security settings should last.

Configuring HSTS headers

Do the following:

  1. Stop the QlikNPrintingWebEngine service.
  2. Open the proxy files:
    1. To customize the Qlik NPrinting web console, open webconsoleproxy\app.conf. Typical path is C:\ProgramData\NPrinting\webconsoleproxy.
    2. To customize the NewsStand, open newsstandproxy\app.conf.Typical path is C:\ProgramData\NPrinting\newsstand.
  3. Configure the following strings:
    1. hsts.header.enabled: Default value is false. Set to true to enable HSTS.

    2. hsts.header.maxage: The time, in seconds, that the browser should remember that a site should only be accessed using HTTPS. Default value is 63072000 (two years).

  4. Restart the QlikNPrintingWebEngine service.