QRS API XSRF prevention check failed. Possible XSRF discovered.

NadiaB · Apr 15, 2022 10:12:39 AM

A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. Thus we use the Xrfkey to prevent that, without Xrfkey being set in the URL the server will send back a message saying: XSRF prevention check failed. Possible XSRF discovered.

When the xrfkey parameter is missing or the xrfkey value differs from the value in the header the following error occurs:

403 - Forbidden
XSRF prevention check failed. Possible XSRF discovered.

Environment

Qlik Sense QRS API all versions

Resolution

Make sure that the xrfkey is included in the URL

https://qlikserver1.domain.local:4242/qrs/about?xrfkey=12345678qwertyui

Make sure that the request includes the header

$hdrs.Add("X-Qlik-xrfkey","12345678qwertyui")

Make sure that the header value is the same than the parameter in the URL

$hdrs.Add("X-Qlik-xrfkey","12345678qwertyui")

$url = "https://qlikserver1.domain.local:4242/qrs/about?xrfkey=12345678qwertyui"

Cause

Missing parameter in the URL, missing header, mismatch value passed in the parameter and header.

Related Content

How to configure Postman (desktop app) to connect to Qlik Sense

Qlik Sense QRS API using Xrfkey header in PowerShell

LiquidSword · ‎2024-10-03

how do I find my xrfkey?

I'm trying to do a fetch request using chrome developer console.

Sonja_Bauernfeind · ‎2024-10-03

Hello @LiquidSword

An Xrfkey is a string of 16 arbitrary characters which you choose yourself. See Using Xrfkey headers.

All the best,
Sonja