Mitigating against clickjacking in Qlik Sense, X-FRAME Options in response header
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. (source)
In Qlik Sense, using the default setup, it is possible to embed a Qlik Sense site into an iframe external to the site and, potentially, capture credentials.
The main defence against this potential vulnerability is to set the X-Frame-Options Response Headers in the requests. This governs whether a browser should or should not render a page inside an iFrame.
There are a handful of values that can be configured. The support for those dependent on the web browser, so do investigate the type of X-Frame-Option that you are setting.