Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Live chat with experts, bring your API Integration questions. June 15th, 10 AM ET. REGISTER TODAY

Mitigating against clickjacking in Qlik Sense, X-FRAME Options in response header

Digital Support
Digital Support

Mitigating against clickjacking in Qlik Sense, X-FRAME Options in response header

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. (source)

In Qlik Sense, using the default setup, it is possible to embed a Qlik Sense site into an iframe external to the site and, potentially, capture credentials.

The main defence against this potential vulnerability is to set the X-Frame-Options Response Headers in the requests. This governs whether a browser should or should not render a page inside an iFrame.

There are a handful of values that can be configured. The support for those dependent on the web browser, so do investigate the type of X-Frame-Option that you are setting.



Qlik Sense Enterprise on Windows 




To mitigate against this you need to specify the X-Frame-Options. Possible values are “DENY”, “SAMEORIGIN” or “ALLOW-FROM”. See Clickjacking Defense Cheat Sheet.
  1. Open the Qlik Sense Management Console
  2. Navigate to the Virtual Proxy used in the implementation
  3. Click Edit
  4. Select Advanced in the right-hand side menu
  5. Locate Additional response headers 
  6. Add: X-Frame-Options: SAMEORIGIN 

Labels (1)
Version history
Revision #:
2 of 2
Last update:
‎2021-05-06 09:32 AM
Updated by: