Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Mar 12, 2025 11:59:16 AM
Mar 12, 2025 11:25:53 AM
Beginning with Qlik Sense Enterprise on Windows 2024, Qlik has extended CSRF protection to WebSockets. For reference, see the Release Notes.
In the case of mashups, extensions,and or other cross-site domain setups, the following two steps are necessary:
- Add additional response headers. These headers help protect against Cross-Site Forgery (CSRF) attacks.
- Change the applicable code in your mashup or extension.
Content
Add the Response Headers
The three additional response headers are:
Access-Control-Allow-Origin: https://localhost:8080
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: qlik-csrf-token
Localhost and port 8080 are examples. Replace them with the appropriate hostname. Defining the port is optional.
If you have multiple origins, seperate them by comma.
Example:
For more information about adding response headers to the Qlik Sense Virtual proxy, see Creating a virtual proxy. Expand the Advanced section to access Additional response headers.
Adapt your Mashup or Extension code
In certain scenarios, the additional headers on the virtual proxy will not be enough and a code change is required. In these cases, you need to request the CSRF token and then send it forward when opening the session on the WebSocket. See Workflow for a visualisation of the process.
An example written in Enigma.js is available here:
The information and example in this article are provided as-is and are not directly supported by Qlik Support. More assistance can be found on the Qlik Integration forum. Professional Services are available to help where needed.
Workflow
Verification
To verify if the header information is correctly passed on, capture the web traffic in your browser's debug tool.
Environment
- Qlik Sense Enterprise on Windows November 2024 and later
