Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik GA: Multivariate Time Series in Qlik Predict: Get Details

Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

Qlik Sense Enterprise on Windows: Extended WebSocket CSRF protection

Last Update:

Mar 12, 2025 11:59:16 AM

Updated By:

Sonja_Bauernfeind

Created date:

Mar 12, 2025 11:25:53 AM

Beginning with Qlik Sense Enterprise on Windows 2024, Qlik has extended CSRF protection to WebSockets. For reference, see the Release Notes.

In the case of mashups, extensions,and or other cross-site domain setups, the following two steps are necessary: 

  1. Add additional response headers. These headers help protect against Cross-Site Forgery (CSRF) attacks.
  2. Change the applicable code in your mashup or extension.

 

Content

 

Add the Response Headers

The three additional response headers are:

Access-Control-Allow-Origin: https://localhost:8080
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: qlik-csrf-token
Localhost and port 8080 are examples. Replace them with the appropriate hostname. Defining the port is optional. 
If you have multiple origins, seperate them by comma.

Example:

edit virtual proxy example.png

For more information about adding response headers to the Qlik Sense Virtual proxy, see Creating a virtual proxy. Expand the Advanced section to access Additional response headers.

 

Adapt your Mashup or Extension code

In certain scenarios, the additional headers on the virtual proxy will not be enough and a code change is required. In these cases, you need to request the CSRF token and then send it forward when opening the session on the WebSocket. See Workflow for a visualisation of the process.

An example written in Enigma.js is available here:

The information and example in this article are provided as-is and are not directly supported by Qlik Support. More assistance can be found on the Qlik Integration forum. Professional Services are available to help where needed.

Workflow

WorkflowWorkflow

Verification

To verify if the header information is correctly passed on, capture the web traffic in your browser's debug tool.

network traffic.png

 

Environment

  • Qlik Sense Enterprise on Windows November 2024 and later
Labels (1)
5,693 Views
Was this article helpful? Yes No
Comments
Tool_Tip
Creator III
Creator III
‎2025-04-05 11:38 PM

Dear Sonja,

 

We are running November-2024 path 6 and we have already build some mashup as well, so just need to confirm if it is required us to add the mentioned Response headers ?

As if now by default I am unable to see any headers available:

Tool_Tip_0-1743910722122.png

 

 

FabioSanchesRibeiro
Support
Support
‎2025-06-27 08:19 AM

Hi @Tool_Tip, yes, this is a required parameter whenever you have the following scenarios: mashups, extensions, cross-site or external web server embedding Qlik Sense objects.

ASpivey01
Contributor II
Contributor II
‎2025-08-27 04:53 PM

Chrome browser does not allow multiple values for the Access-Control-Allow-Origin header:

ASpivey01_0-1756327829258.png

This is making it impossible to serve mashups on different domains/subdomains using a single virtual proxy.

Is there any way around this?

karthiksrqv
Partner - Creator II
Partner - Creator II
‎2025-09-29 03:40 AM

@Sonja_Bauernfeind 

Please look into adding code sample for other authentication methods that Qlik has been supporting for a long time (like the one above for JWT).

Version history
Last update:
‎2025-03-12 11:59 AM
Updated by:
Digital Support