article Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection in Official Support Articles

Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

Sonja_Bauernfeind — Wed, 25 Mar 2026 14:08:57 GMT

Beginning with Qlik Sense Enterprise on Windows 2024, Qlik has extended CSRF protection to WebSockets. For reference, see the Release Notes.

In the case of mashups, extensions, and or other cross-site domain setups, the following two steps are necessary:

Add additional response headers. These headers help protect against Cross-Site Forgery (CSRF) attacks.
Change the applicable code in your mashup or extension.

Content

Add the Response Headers

The additional response headers are:

Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: qlik-csrf-token

Localhost and port 8080 are examples. Replace them with the appropriate hostname. Defining the port is optional.

If you have multiple origins, add each to the Host allow list.

Example:

For more information about adding response headers to the Qlik Sense Virtual proxy, see Creating a virtual proxy. Expand the Advanced section to access Additional response headers.

Adapt your Mashup or Extension code

In certain scenarios, the additional headers on the virtual proxy will not be enough and a code change is required. In these cases, you need to request the CSRF token and then send it forward when opening the session on the WebSocket. See Workflow for a visualisation of the process.

An example written in Enigma.js is available here:

The information and example in this article are provided as-is and are not directly supported by Qlik Support. More assistance can be found on the Qlik Integration forum. Professional Services are available to help where needed.

Workflow

Verification

To verify if the header information is correctly passed on, capture the web traffic in your browser's debug tool.

Environment

Qlik Sense Enterprise on Windows

Re: Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

Tool_Tip — Sun, 06 Apr 2025 03:38:50 GMT

Dear Sonja,

We are running November-2024 path 6 and we have already build some mashup as well, so just need to confirm if it is required us to add the mentioned Response headers ?

As if now by default I am unable to see any headers available:

Re: Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

FabioSanchesRibeiro — Fri, 27 Jun 2025 12:19:41 GMT

Hi @Tool_Tip, yes, this is a required parameter whenever you have the following scenarios: mashups, extensions, cross-site or external web server embedding Qlik Sense objects.

Re: Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

ASpivey01 — Wed, 27 Aug 2025 20:53:38 GMT

Chrome browser does not allow multiple values for the Access-Control-Allow-Origin header:

This is making it impossible to serve mashups on different domains/subdomains using a single virtual proxy.

Is there any way around this?

Re: Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

karthiksrqv — Mon, 29 Sep 2025 07:40:04 GMT

@Sonja_Bauernfeind

Please look into adding code sample for other authentication methods that Qlik has been supporting for a long time (like the one above for JWT).

Re: Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

ASpivey01 — Fri, 14 Nov 2025 16:38:21 GMT

@Sonja_Bauernfeind Can we correct this article to remove the guidance for adding multiple origins to the "Access-Control-Allow-Origin" list since that is not supported behavior?

Would be good to know what the alternatives are when we use a virtual proxy to handle mashup authentication on multiple subdomains. Like do we now need to use a separate virtual proxy for each mashup that's on a different subdomain and needs to make the session cookie safely available in other domains?