https://community.qlik.com/t5/Official-Support-Articles/QS-Header-Authentication-Error-when-using-X-Qlik-User-hdr-quot/ta-p/2436941 <P>When using "<STRONG>Header authentication</STRONG>" method, after upgrading to latest Qlik Sense Enterprise versions or latest patch,&nbsp;you may encouter error like "<STRONG>400 bad request Invalid header in the request</STRONG>".</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bad_request.png" style="width: 708px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/163217iDC6E9866B3C9C9BF/image-dimensions/708x218?v=v2" width="708" height="218" role="button" title="bad_request.png" alt="bad_request.png" /></span></P> <P>From the image above, notice that the request header is “<STRONG>X-Qlik-User-hdr = Domain\administrator</STRONG>" (in this example). Meaning that, in Qlik Sense&nbsp;virtual proxy settings, the "<STRONG>header authentication header name</STRONG>” was set to “<STRONG>X-Qlik-User-hdr".</STRONG></P> <P class="lia-indent-padding-left-30px"><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Header_name_QLik_X.png" style="width: 690px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/163219iC7726FAF29BBCDE9/image-dimensions/690x390?v=v2" width="690" height="390" role="button" title="Header_name_QLik_X.png" alt="Header_name_QLik_X.png" /></span></STRONG></P> <H3 style="font-family: Inter, Arial, sans-serif; color: #000000;"><FONT color="#339966"><STRONG>Resolution</STRONG></FONT></H3> <P>This is working as designed&nbsp; (WAD).</P> <P>R&amp;D confirmed that, there was a security fix made back in August-September 2023, which disallow header authentication using header names that include "<STRONG>X-Qlik-User"</STRONG> in "<STRONG>header authentication header name</STRONG>".</P> <P>Thus, if the "Header Authentication" setting was working before the upgrade and then the error "<STRONG>400 bad request Invalid header in the request</STRONG>" occurs after upgrading to latest version of Qlik Sense Enterprise or after installing a patch, please ensure that in the related virtual proxy, "header authentication header name” is not set to something like "<STRONG>X-Qlik-User-*</STRONG>" (<A href="https://help.qlik.com/en-US/sense-admin/February2024/Subsystems/DeployAdministerQSE/Content/Sense_DeployAdminister/QSEoW/Administer_QSEoW/Managing_QSEoW/virtual-proxies-overview.htm" target="_self">Check for example QS Feb 2024 header name restrictions</A>).</P> <P class="lia-indent-padding-left-30px"><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Header_name.png" style="width: 665px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/163237i5D3070A6B6C89200/image-dimensions/665x287?v=v2" width="665" height="287" role="button" title="Header_name.png" alt="Header_name.png" /></span></P> <P style="font-style: italic;">Information provided on this defect is given as is at the time of documenting. For up to date information, please review the most recent Release Notes, or <A href="https://community.qlik.com/t5/crmsupport/page" target="_blank" rel="noopener">contact support</A> with the ID <STRONG>QB-25945 or</STRONG>&nbsp;<STRONG>QB-21731</STRONG> for reference.</P> <H3><FONT color="#339966"><STRONG>Cause</STRONG></FONT></H3> <P>Product Defect ID: <STRONG>QB-25945</STRONG>, <STRONG>QB-21731</STRONG> and <STRONG>HLP-15641</STRONG></P> <P>&nbsp;</P> <H4><FONT color="#339966"><STRONG>Environment</STRONG></FONT></H4> <UL> <LI>Qlik Sense Entreprise on Windows</LI> </UL> Tue, 02 Apr 2024 16:18:19 GMT Joseph_Musekura 2024-04-02T16:18:19Z https://community.qlik.com/t5/Official-Support-Articles/QS-Header-Authentication-Error-when-using-X-Qlik-User-hdr-quot/ta-p/2436941 <P>When using "<STRONG>Header authentication</STRONG>" method, after upgrading to latest Qlik Sense Enterprise versions or latest patch,&nbsp;you may encouter error like "<STRONG>400 bad request Invalid header in the request</STRONG>".</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bad_request.png" style="width: 708px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/163217iDC6E9866B3C9C9BF/image-dimensions/708x218?v=v2" width="708" height="218" role="button" title="bad_request.png" alt="bad_request.png" /></span></P> <P>From the image above, notice that the request header is “<STRONG>X-Qlik-User-hdr = Domain\administrator</STRONG>" (in this example). Meaning that, in Qlik Sense&nbsp;virtual proxy settings, the "<STRONG>header authentication header name</STRONG>” was set to “<STRONG>X-Qlik-User-hdr".</STRONG></P> <P class="lia-indent-padding-left-30px"><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Header_name_QLik_X.png" style="width: 690px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/163219iC7726FAF29BBCDE9/image-dimensions/690x390?v=v2" width="690" height="390" role="button" title="Header_name_QLik_X.png" alt="Header_name_QLik_X.png" /></span></STRONG></P> <H3 style="font-family: Inter, Arial, sans-serif; color: #000000;"><FONT color="#339966"><STRONG>Resolution</STRONG></FONT></H3> <P>This is working as designed&nbsp; (WAD).</P> <P>R&amp;D confirmed that, there was a security fix made back in August-September 2023, which disallow header authentication using header names that include "<STRONG>X-Qlik-User"</STRONG> in "<STRONG>header authentication header name</STRONG>".</P> <P>Thus, if the "Header Authentication" setting was working before the upgrade and then the error "<STRONG>400 bad request Invalid header in the request</STRONG>" occurs after upgrading to latest version of Qlik Sense Enterprise or after installing a patch, please ensure that in the related virtual proxy, "header authentication header name” is not set to something like "<STRONG>X-Qlik-User-*</STRONG>" (<A href="https://help.qlik.com/en-US/sense-admin/February2024/Subsystems/DeployAdministerQSE/Content/Sense_DeployAdminister/QSEoW/Administer_QSEoW/Managing_QSEoW/virtual-proxies-overview.htm" target="_self">Check for example QS Feb 2024 header name restrictions</A>).</P> <P class="lia-indent-padding-left-30px"><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Header_name.png" style="width: 665px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/163237i5D3070A6B6C89200/image-dimensions/665x287?v=v2" width="665" height="287" role="button" title="Header_name.png" alt="Header_name.png" /></span></P> <P style="font-style: italic;">Information provided on this defect is given as is at the time of documenting. For up to date information, please review the most recent Release Notes, or <A href="https://community.qlik.com/t5/crmsupport/page" target="_blank" rel="noopener">contact support</A> with the ID <STRONG>QB-25945 or</STRONG>&nbsp;<STRONG>QB-21731</STRONG> for reference.</P> <H3><FONT color="#339966"><STRONG>Cause</STRONG></FONT></H3> <P>Product Defect ID: <STRONG>QB-25945</STRONG>, <STRONG>QB-21731</STRONG> and <STRONG>HLP-15641</STRONG></P> <P>&nbsp;</P> <H4><FONT color="#339966"><STRONG>Environment</STRONG></FONT></H4> <UL> <LI>Qlik Sense Entreprise on Windows</LI> </UL> Tue, 02 Apr 2024 16:18:19 GMT https://community.qlik.com/t5/Official-Support-Articles/QS-Header-Authentication-Error-when-using-X-Qlik-User-hdr-quot/ta-p/2436941 Joseph_Musekura 2024-04-02T16:18:19Z https://community.qlik.com/t5/Official-Support-Articles/QS-Header-Authentication-Error-when-using-X-Qlik-User-hdr-quot/tac-p/2540376#M16725 <P>Hi,</P><P>We currently use 2021 qlik version.&nbsp;I am required to setup QRS API. our qlik runs in 443 port so according to qlik help docu this comes under virtual proxy. I have setup virtual proxy accordingly but still in postman i am getting error like 400 the http request is incorrect. The Link used in POSTMAN: GET https:// qlikserver/qrs/about?xrfkey=(16 character key) and also filled the required headers.<BR />This worked in UAT Qlik but in PROD Qlik i am getting this error. Only difference is in UAT QLIK i was able to find APIUSER user directory and i found my userid and i added it as admin but in prod this APIUSER is not appearing. I have attached the ss below. If anyone has done the similar setup of QRS Kindly help on this.</P><P>Note: Basically we need to automate tasks in qlik and for this accessing the qrs via postman to check</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ana31_0-1767774330237.png" style="width: 400px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/186123i2F5EFF8E60CF5A4C/image-size/medium?v=v2&amp;px=400" role="button" title="Ana31_0-1767774330237.png" alt="Ana31_0-1767774330237.png" /></span></P><P>&nbsp;</P> Wed, 07 Jan 2026 08:26:15 GMT https://community.qlik.com/t5/Official-Support-Articles/QS-Header-Authentication-Error-when-using-X-Qlik-User-hdr-quot/tac-p/2540376#M16725 Ana31 2026-01-07T08:26:15Z