Just wanted to share a couple thoughts on a topic I have Googled many, many times.
Header authentication into a Qlik Sense environment bypasses Qlik Sense's traditional authentication measures. Therefore, it can be used to easily test calls to the Qlik Repository Service (QRS) API, but can also be used as a backdoor into your system and should be guarded very carefully.
The QRS contains information about the configuration of your Qlik Sense environment. Access to the QRS comes with immense power. You'll have the ability to view license information. create and drop users. adjust security rules, export apps, etc. So be careful when building header authentication into external applications to protect yourself from malicious interactions. If your intent is to simply have users interact with your apps and data, then ticket and session authentication are other, more secure options to pursue.