Skip to main content
Announcements
NEW: Seamless Public Data Sharing with Qlik's New Anonymous Access Capability: TELL ME MORE!
cancel
Showing results for 
Search instead for 
Did you mean: 
fkeuroglian
Partner - Master
Partner - Master

Vulnerability CORS in QlikSense

Hi Expert

Security audit give me a vulnerability alert in QlikSense Server(using April 2020 Version of qliksense server)

CORS(Cross origin resource Sharing)

Situation:

I have https://server.domain.com/qmc  -> QMC and https://server.domain.com/hub

The vulnerability error is:

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side crossorigin
requests. This application is using CORS in an insecure way.

The web application fails to properly validate the Origin header (check Details section for
more information) and returns the header Access-Control-Allow-Credentials: true.
In this configuration any website can issue requests made with user credentials and read
the responses to these requests. Trusting arbitrary origins effectively disables the sameorigin
policy, allowing two-way interaction by third-party web sites.


Recommendations Allow only selected, trusted domains in the Access-Control-Allow-Origin header.

Someone know how to mitigate it? 

I try to add in virtual proxy the sentence ACCESS CONTROL ORIGIN, in the response headers QMC , but still continue

Access-Control-Allow-Origin:https://server.domain.com/qmc, http://localhost

BUT the error or vulnearibilty persist

Thanks a lot

Fernando

Labels (1)
1 Reply
Nadiasilvero
Partner - Contributor
Partner - Contributor

Hello! did you find the solution? We are having the same problem with a client and it would be of much help if you could give us an answer in case you have been able to solve it. Thank you