Skip to main content

CSRF security for cloud editions of Qlik Sense Enterprise


CSRF security for cloud editions of Qlik Sense Enterprise

What is CSRF? A simple definition of cross-site request forgery (CSRF) is when someone attacks a user’s web application by taking advantage of that user’s authentication. For example, if a user is already authenticated on a secure web application and they click a malicious link during their web session, an attacker can then use their authentication to perform tasks or actions without the user's permission or knowledge.

To ensure that QCS and QSEoK APIs are protected against CSRF security risks, Qlik has implemented token-based anti-CSRF security for its APIs that will prevent CSRF attacks.

This token is generated on the server-side and is linked to a specific session by the web server, which is then used as a hidden value in every web application form. Since the token is on the server side and not in the web session, a hacker has no way to get that token because they do not have access.

How CSRF security is implemented

Qlik's anti-CSRF solution works when the client code is served from the same domain in QCS and QSEoK, as well as in external mashups where the token needs to be read from an endpoint.

For client code that is hosted in the same domain as QCS or QSEoK, the CSRF token is read from a cookie.

For client code that is hosted on a different domain than QCS or QSEoK, like mashups, the CSRF token is available on the endpoint GET /v1/csrf-token that is then exposed and set in the cookie that is returned by the API call.

The CSRF token is validated on all non-GET calls, while rejecting any API calls with missing or bad tokens.