Setting up HSTS on Replicate

HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying Dilqam) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL).

You can force the Replicate Web UI and/or the Replicate REST API connections to use HSTS (HTTP Strict Transport Security). To do this, run the commands described below.

All commands should be run from as Admin from the product bin folder.

Enabling HSTS on the Replicate UI Server

Command syntax

Repuictl.exe configuration set --static_http_headers header_list --rest_http_headers header_list

Parameters

Headers should be specified using the following format:

Repuictl.exe configuration set --static_http_headers "header1:value1" "header2:value2" --rest_http_headers "header1:value1" "header2:value2"

Example

Repuictl.exe configuration set --static_http_headers "Strict-Transport-Security:max-age=31536000; includeSubDomains;" --rest_http_headers "Strict-Transport-Security":"max-age=31536000; includeSubDomains;"

Disabling HSTS on the Replicate UI Server

You can also revert to regular HTTPS connections.

Command syntax

Repuictl.exe configuration set --static_http_headers ""|--rest_http_headers ""

Parameters

Example

Disable static_http_headers

Repuictl.exe configuration set --static_http_headers ""

Disable rest_http_headers

Repuictl.exe configuration set --rest_http_headers ""

Configuring HSTS on the Replicate C UI Server

When connecting directly to the Replicate C UI Server (i.e. when Replicate Server is running on Linux), you need to add the rest_handler_response_additional_headers and the static_resources_response_additional_headers to the repctl.cfg file. The default location of this file is /opt/attunity/replicate/bin/ on Linux (and C:\Program Files\Attunity\Replicate\bin on Windows). If you wish to remove these response headers at a later date, simply delete them.

See also: Qlik Replicate UI server configurations.

Example:

The following example shows the repctl.cfg file with both the rest_handler_response_additional_headers and the static_resources_response_additional_headers. Each of these headers is defined with X-XSS-Protection, X-Frame-Options, and Strict-Transport-Security response headers.

• The X-XSS-Protection response header can be used to block reflected XSS attacks.
• The X-Frame-Options response header defends against "clickjacking" by instructing the browser to prevent any site with this header in the response from being rendered within a frame (a potential security issue).
• The Strict-Transport-Security response header instructs the browser to treat the domain as an HSTS host for a year (there are approximately 31536000 seconds in a year). The optional includeSubDomains directive means that subdomains (i.e. secure.myhealthcare.example.com) should also be treated as an HSTS domain.

{

"port": 3552,

"plugins_load_list":"repui",

"mandatory_plugins":"repui",

"logger_status":{

"REST_SERVER": "DEFAULT",

"REPUI_PLUGIN": "DEFAULT"

},

"rest_handler_response_additional_headers": "X-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nStrict-Transport-Security:max-age=31536000; includeSubDomains;\r\n",

"static_resources_response_additional_headers": "X-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nStrict-Transport-Security:max-age=31536000; includeSubDomains;\r\n",

"verbose":false,

"session_timeout_seconds":60,

"check_for_expired_session_interval_seconds":50,

"login_pam_libpam_full_path":"",

"login_pam_service_name": "system-auth",

"enable_execute_user_defined_commands": false

}