https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061864#M4548 <HTML><HEAD></HEAD><BODY><P>So as a rule of thumb extensions poses as much security risk as browsing to Facebook.com, Google.com or any random web page on the web.</P><P></P><P>Extensions are client side technology, meaning it will execute within the sandbox that is the users browser, so it can't access anything on the server or outside the normal resources a browser can access on the local machine.</P><P></P><P></P><P>The potential risk you are running is that a extension could intercept the data from a app and then pipe that to a third party server somewhere. So I would scan for any outgoing connections such as xmlhttprequest, websockets etc</P><P></P><P>The Qlik cookies available to steal won't reveal anything special to the attacker apart from a session id which you can lock down with extended security in your virtual proxy.</P></BODY></HTML> Thu, 11 Feb 2016 19:17:35 GMT Alexander_Thor 2016-02-11T19:17:35Z https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061862#M4546 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P></P><P>I found a couple of open source extension.But before installing them on the Qliksense server ,I want to make sure it does not contain any trojan program that could pose a security risk.</P><P></P><P>Any tips on how to look for malicious code in extensions?</P></BODY></HTML> Fri, 05 Feb 2016 18:50:37 GMT https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061862#M4546 swarup_malli 2016-02-05T18:50:37Z https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061863#M4547 <HTML><HEAD></HEAD><BODY><P>Make sure you are downloading from a trusted sites and the websites from Qlik Partners</P><P></P><P>Also you can refer Stephan Walther's website</P><P></P><P><A href="http://www.qlikblog.at/" title="http://www.qlikblog.at/">qlikblog.at | QlikView / Qlik Sense Blog by Stefan Walther</A></P></BODY></HTML> Thu, 11 Feb 2016 19:06:31 GMT https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061863#M4547 satishkurra 2016-02-11T19:06:31Z https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061864#M4548 <HTML><HEAD></HEAD><BODY><P>So as a rule of thumb extensions poses as much security risk as browsing to Facebook.com, Google.com or any random web page on the web.</P><P></P><P>Extensions are client side technology, meaning it will execute within the sandbox that is the users browser, so it can't access anything on the server or outside the normal resources a browser can access on the local machine.</P><P></P><P></P><P>The potential risk you are running is that a extension could intercept the data from a app and then pipe that to a third party server somewhere. So I would scan for any outgoing connections such as xmlhttprequest, websockets etc</P><P></P><P>The Qlik cookies available to steal won't reveal anything special to the attacker apart from a session id which you can lock down with extended security in your virtual proxy.</P></BODY></HTML> Thu, 11 Feb 2016 19:17:35 GMT https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061864#M4548 Alexander_Thor 2016-02-11T19:17:35Z https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061865#M4549 <HTML><HEAD></HEAD><BODY><P>Thank you guys! sorry for the late reply </P></BODY></HTML> Tue, 16 Feb 2016 14:16:20 GMT https://community.qlik.com/t5/Integration-Extension-APIs/Can-extensions-carry-security-risk/m-p/1061865#M4549 swarup_malli 2016-02-16T14:16:20Z