Just wanted to share a couple thoughts on a topic I have Googled many, many times.
Header authentication into a Qlik Sense environment bypasses Qlik Sense's traditional authentication measures. Therefore, it can be used to easily test calls to the Qlik Repository Service (QRS) API, but can also be used as a backdoor into your system and should be guarded very carefully.
In conjunction with another authentication method such as certificate authentication or an external authentication portal
A carefully configured system of firewalls / proxies
In a development environment
The QRS contains information about the configuration of your Qlik Sense environment. Access to the QRS comes with immense power. You'll have the ability to view license information. create and drop users. adjust security rules, export apps, etc. So be careful when building header authentication into external applications to protect yourself from malicious interactions. If your intent is to simply have users interact with your apps and data, then ticket and session authentication are other, more secure options to pursue.