A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. To protect against this vulnerability, calls to the Qlik Sense Repository Service (QRS) API must include the following:
- Xrfkey parameter: Must equal 16 arbitrary characters. The characters can be changed in-between calls to the API.
- x-Qlik-Xrfkey: Custom http header. The format is as follows:
x-Qlik-Xrfkey: <The same 16 characters as used for the Xrfkey parameter>
The following API call returns all server node configurations in the Qlik Sense repository database:
https://localhost:4242/qrs/servernodeconfiguration/full?Xrfkey= abcdefghijklmnop&orderby=name%20asc HTTP/1.1 Accept-Encoding: gzip,deflate X-Qlik-User: UserDirectory=INTERNAL; UserId=sa_repository Accept-Charset: utf-8; q=0.9, us-ascii;q=0.1, iso-8859-1 Accept: text/xml; q=0.1, application/json; q=0.2 X-Qlik-Xrfkey: abcdefghijklmnop Host: localhost:4242 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
There is a number of optional parameters that can be used in the API calls. In the example above, the optional orderby parameter is used to sort the returned entities in ascending order by the name.