Skip to main content Skip to complementary content

Setting up HSTS on Replicate

HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying Dilqam) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL).

You can force the Replicate Web UI and/or the Replicate REST API connections to use HSTS (HTTP Strict Transport Security). To do this, run the commands described below.

All commands should be run from as Admin from the product bin folder.

Enabling HSTS on the Replicate UI Server

Command syntax

Repuictl.exe configuration set --static_http_headers header_list --rest_http_headers header_list


Parameter Description

The headers required to connect to the Replicate Web UI.


The headers required to connect using the API.

Headers should be specified using the following format:

Repuictl.exe configuration set --static_http_headers "header1:value1" "header2:value2" --rest_http_headers "header1:value1" "header2:value2"


Repuictl.exe configuration set --static_http_headers "Strict-Transport-Security:max-age=31536000; includeSubDomains;" --rest_http_headers "Strict-Transport-Security":"max-age=31536000; includeSubDomains;"

Disabling HSTS on the Replicate UI Server

You can also revert to regular HTTPS connections.

Command syntax

Repuictl.exe configuration set --static_http_headers ""|--rest_http_headers ""


Parameter Description

Use this parameter to revert the headers required to connect to the Replicate Web UI.


Use this parameter to revert the headers required to connect using the API.


Disable static_http_headers

Repuictl.exe configuration set --static_http_headers ""

Disable rest_http_headers

Repuictl.exe configuration set --rest_http_headers ""

Configuring HSTS on the Replicate C UI Server

When connecting directly to the Replicate C UI Server (i.e. when Replicate Server is running on Linux), you need to add the rest_handler_response_additional_headers and the static_resources_response_additional_headers to the repctl.cfg file. The default location of this file is /opt/attunity/replicate/bin/ on Linux (and C:\Program Files\Attunity\Replicate\bin on Windows). If you wish to remove these response headers at a later date, simply delete them.

See also: Qlik Replicate UI server configurations.

Information note

Any changes to the repctl.cfg file (such as editing/removing the headers) require you to restart the Replicate services once you have made your changes.


The following example shows the repctl.cfg file with both the rest_handler_response_additional_headers and the static_resources_response_additional_headers. Each of these headers is defined with X-XSS-Protection, X-Frame-Options, and Strict-Transport-Security response headers.

  • The X-XSS-Protection response header can be used to block reflected XSS attacks.
  • The X-Frame-Options response header defends against "clickjacking" by instructing the browser to prevent any site with this header in the response from being rendered within a frame (a potential security issue).
  • The Strict-Transport-Security response header instructs the browser to treat the domain as an HSTS host for a year (there are approximately 31536000 seconds in a year). The optional includeSubDomains directive means that subdomains (i.e. should also be treated as an HSTS domain.


"port": 3552,







"rest_handler_response_additional_headers": "X-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nStrict-Transport-Security:max-age=31536000; includeSubDomains;\r\n",

"static_resources_response_additional_headers": "X-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nStrict-Transport-Security:max-age=31536000; includeSubDomains;\r\n"





"login_pam_service_name": "system-auth",

"enable_execute_user_defined_commands": false


Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!