diff --git a/app/services/qualys_service.py b/app/services/qualys_service.py
index 31a7bef..f48c90e 100644
--- a/app/services/qualys_service.py
+++ b/app/services/qualys_service.py
@@ -49,23 +49,31 @@ def search_assets_api(db, query, field="name", operator="CONTAINS", force_refres
     proxies = {"https": qualys_proxy, "http": qualys_proxy} if qualys_proxy else None
 
     try:
+        from xml.sax.saxutils import escape as xml_escape
+        xml_body = (
+            "<ServiceRequest>"
+            "<preferences><limitResults>200</limitResults></preferences>"
+            "<filters>"
+            f"<Criteria field=\"{xml_escape(field)}\" operator=\"{xml_escape(operator)}\">"
+            f"{xml_escape(query)}</Criteria>"
+            "</filters>"
+            "</ServiceRequest>"
+        )
         r = requests.post(
             f"{qualys_url}/qps/rest/5.0/search/am/hostasset",
-            json={"ServiceRequest": {
-                "preferences": {"limitResults": 200},
-                "filters": {"Criteria": [
-                    {"field": field, "operator": operator, "value": query}
-                ]}
-            }},
+            data=xml_body,
             auth=(qualys_user, qualys_pass),
             verify=False, timeout=60, proxies=proxies,
-            headers={"Content-Type": "application/json"}
+            headers={"Content-Type": "text/xml", "X-Requested-With": "PatchCenter"}
         )
     except Exception as e:
         return {"ok": False, "msg": f"Erreur API: {e}", "assets": []}
 
     if r.status_code != 200 or "SUCCESS" not in r.text:
-        return {"ok": False, "msg": f"API HTTP {r.status_code}", "assets": []}
+        # Inclure le début du body pour faciliter le diagnostic
+        return {"ok": False,
+                "msg": f"API HTTP {r.status_code} — {r.text[:200]}",
+                "assets": []}
 
     assets = _parse_assets_full(r.text)
     result = {"ok": True, "msg": f"{len(assets)} résultat(s)", "assets": assets, "from_cache": False}