Configuring X-Frame-Options
Qlik NPrinting supports X-Frame-Options HTTP response headers.
The X-Frame-Options header is a security measure that prevents Qlik NPrinting web console and NewsStand from being embedded in a <frame> or <iframe>. Enabling X-Frame-Options HTTP response headers defends against Cross-Frame Scripting (XFS), clickjacking, and other forms of attack.
XFS headers profiles
The following table illustrates different XFS headers restriction profiles based on X-Frame-Options settings.
Configurations | XFS header |
---|---|
xfs.headers.enabled=false | None |
xfs.headers.enabled=true xfs.headers.option=DENY |
X-Frame-Options: DENY Content-Security-Policy: frame-ancestors 'none' |
xfs.headers.enabled=true xfs.headers.option=SAMEORIGIN |
X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' |
xfs.headers.enabled=true xfs.headers.option=ALLOW-FROM xfs.headers.allowed_url=https://domain.com |
X-Frame-Options: ALLOW-FROM https://domain.com Content-Security-Policy: frame-ancestors domain.com |
Configuring your X-Frame-Options header
Opening the proxy file
To configure X-Frame-Options, you must edit the proxy configuration files for Qlik NPrinting web console and NewsStand. The default locations of these files are:
- NewsStand proxy configuration file:
- Qlik NPrinting web console proxy configuration file:
%ProgramData%\NPrinting\newsstandproxy\app.conf
%ProgramData%\NPrinting\webconsoleproxy\app.conf
Enabling XFS headers
To enable or disable XFS headers, edit the following setting:
Setting: xfs.headers.enabled
Values options:
- true
- false
Default value: true
Setting XFS header options
To set specific XFS header options, edit the following setting:
Setting: xfs.headers.option
Values options:
- DENY
- SAMEORIGIN
- ALLOW-FROM
Default value: DENY
Allowing a specific URL address
You can indicate a specific URL allowed to use responses inside a frame. This setting must configured when ALLOW-FROM is used for xfs.headers.option. You can insert multiple URLs by inserting a space between each URL.
Setting: xfs.headers.allowed_uri
Example: xfs.headers.allowed_uri=https://domain.com
Default value: undefined