Skip to main content Skip to complementary content
Qlik Resources

Configuring X-Frame-Options

Qlik NPrinting supports X-Frame-Options HTTP response headers.

The X-Frame-Options header is a security measure that prevents Qlik NPrinting web console and NewsStand from being embedded in a <frame> or <iframe>. Enabling X-Frame-Options HTTP response headers defends against Cross-Frame Scripting (XFS), clickjacking, and other forms of attack.

XFS headers profiles

The following table illustrates different XFS headers restriction profiles based on X-Frame-Options settings.

[XFS headers restriction profiles]
Configurations XFS header
xfs.headers.enabled=false None

xfs.headers.enabled=true

xfs.headers.option=DENY

X-Frame-Options: DENY

Content-Security-Policy: frame-ancestors 'none'

xfs.headers.enabled=true

xfs.headers.option=SAMEORIGIN

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: frame-ancestors 'self'

xfs.headers.enabled=true

xfs.headers.option=ALLOW-FROM

xfs.headers.allowed_url=https://domain.com

X-Frame-Options: ALLOW-FROM https://domain.com

Content-Security-Policy: frame-ancestors domain.com

Configuring your X-Frame-Options header

Opening the proxy file

To configure X-Frame-Options, you must edit the proxy configuration files for Qlik NPrinting web console and NewsStand. The default locations of these files are:

  • NewsStand proxy configuration file:

    • %ProgramData%\NPrinting\newsstandproxy\app.conf

  • Qlik NPrinting web console proxy configuration file:

    • %ProgramData%\NPrinting\webconsoleproxy\app.conf

Information note You must stop the Qlik NPrinting web engine service before changing any configuration.

Enabling XFS headers

To enable or disable XFS headers, edit the following setting:

Setting: xfs.headers.enabled

Values options:

  • true
  • false

Default value: true

Setting XFS header options

To set specific XFS header options, edit the following setting:

Setting: xfs.headers.option

Values options:

  • DENY
  • SAMEORIGIN
  • ALLOW-FROM

Default value: DENY

Allowing a specific URL address

You can indicate a specific URL allowed to use responses inside a frame. This setting must configured when ALLOW-FROM is used for xfs.headers.option. You can insert multiple URLs by inserting a space between each URL.

Setting: xfs.headers.allowed_uri

Example: xfs.headers.allowed_uri=https://domain.com

Default value: undefined

Information note You must restart the Qlik NPrinting web engine service to make your changes effective.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here