You can set up a secure socket layer for the QC connection with your app server.
http://eyeontesting.com/questions/126/how-to-configure-quality-center-to-use-https

At that that point, you'll have all you need for the QC internet connection to be secure. There are also some configuration parameters for Site Administrator you can use:

DISPLAY_LAST_USER_INFO:

This parameter enables you to add additional security to the client Quality Center Login window. By default, Quality Center displays the last user
login information (user name, domain and project). If this parameter is set to ''N'', the last user login information is not saved on the client machine and
is not displayed in the Quality Center Login window.
To activate this parameter, you must log in to Quality Center, log out, and log in again. If this parameter is set to ''Y'' or does not exist, the last user information is displayed.

RESTRICT_SERVER_FOLDERS:

This parameter enables you to access restricted-access server directories using the OTA ExtendedStorage.ServerPath property.
If this parameter does not exist, or is set to ''Y'', you can only use the ExtendedStorage.ServerPath property to access the following directories:

• the Site Administration (SA) directory
• the root directory for a project
• the attach subdirectory for a project
• the components subdirectory for a project
• the script_templates subdirectory for a project
• the StyleSheets subdirectory for a project
• the tests subdirectory for a project

For the project-related directories, this only applies if your project repository is stored in the file system. If this parameter is set to ''N'', you can access all
server directories using the ExtendedStorage.ServerPath property. For more information on this property, refer to the HP Quality Center Open Test Architecture API Reference. For more information about Quality Center project structure, see ''Understanding the Project Structure.''

SECURED_QC_URL

When Quality Center generates email, it includes a link to Quality Center in the email. If this parameter is set to ''Y'', the Quality Center URL uses an SSL connection (starting with https:). If it is set to ''N'' (default), SSL is not used

SQL_QUERY_VALIDATION_ENABLED

By default, Quality Center checks SQL queries in Excel reports to ensure that they are valid and do not alter the project database. For more information on
this validation, see the HP Quality Center User Guide. If this parameter is set to ''N'', this validation is not performed. If this parameter does not exist, is empty, or is set to ''Y'', this validation is performed.

SQL_QUERY_VALIDATION_BLACK_LIST

By default, Quality Center checks that SQL queries for an Excel reports do not include any of the following commands: INSERT, DELETE, UPDATE,
DROP, CREATE, COMMIT, ROLLBACK, ALTER, EXEC, EXECUTE, MERGE, GRANT, REVOKE, SET, INTO, or TRUNCATE. This ensures that you do not
inadvertently modify or delete records in the project database. You can modify which commands are on this list by adding this parameter. The parameter's value must be a comma-separated list of SQL commands that Quality Center should verify are not included in SQL queries for an Excel report. Note that this verification is not performed if the SQL_QUERY_VALIDATION_ENABLED parameter exists and is set to ''N''.

DISABLE_COMMAND_INTERFACE

If this parameter is set to ''Y'' (default), only users belonging to the TDAdmin group can use the OTA Command object. If it is set to ''N'', any user can use it.
If it is set to ''ALL'', no users can use it. For more information, refer to the HP Quality Center Open Test Architecture API R