Configuring X-Frame-Options

Qlik NPrinting supports X-Frame-Options HTTP response headers.

The X-Frame-Options header is a security measure that prevents Qlik NPrinting web console and NewsStand from being embedded in a <frame> or <iframe>. Enabling X-Frame-Options HTTP response headers defends against Cross-Frame Scripting (XFS), clickjacking, and other forms of attack.

XFS headers profiles

The following table illustrates different XFS headers restriction profiles based on X-Frame-Options settings.

[XFS headers restriction profiles]
Configurations XFS header
xfs.headers.enabled=false None

xfs.headers.enabled=true

xfs.headers.option=DENY

X-Frame-Options: DENY

Content-Security-Policy: frame-ancestors 'none'

xfs.headers.enabled=true

xfs.headers.option=SAMEORIGIN

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: frame-ancestors 'self'

xfs.headers.enabled=true

xfs.headers.option=ALLOW-FROM

xfs.headers.allowed_uri=https://domain.com

X-Frame-Options: ALLOW-FROM https://domain.com

Content-Security-Policy: frame-ancestors domain.com

Configuring your X-Frame-Options header

Opening the proxy file

To configure X-Frame-Options, you must edit the proxy configuration files for Qlik NPrinting web console and NewsStand. The default locations of these files are:

  • NewsStand proxy configuration file:
  • %ProgramData%\NPrinting\newsstandproxy\app.conf

  • Qlik NPrinting web console proxy configuration file:
  • %ProgramData%\NPrinting\webconsoleproxy\app.conf

Note: You must stop the Qlik NPrinting web engine service before changing any configuration.

Enabling XFS headers

To enable or disable XFS headers, edit the following setting:

Setting: xfs.headers.enabled

Values options:

  • true
  • false

Default value: true

Setting XFS header options

To set specific XFS header options, edit the following setting:

Setting: xfs.headers.option

Values options:

  • DENY
  • SAMEORIGIN
  • ALLOW-FROM

Default value: DENY

Allowing a specific URL address

You can indicate a specific URL allowed to use responses inside a frame. This setting must configured when ALLOW-FROM is used for xfs.headers.option. You can insert multiple URLs by inserting a space between each URL.

Setting: xfs.headers.allowed_uri

Example: xfs.headers.allowed_uri=https://domain.com

Default value: undefined

Note: You must restart the Qlik NPrinting web engine service to make your changes effective.