Using Xrfkey headers

A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. To protect against this vulnerability, calls to the Qlik Sense Repository Service (QRS) API must include the following:

  • Xrfkey parameter: Must equal 16 arbitrary characters. The characters can be changed between calls to the API.
  • x-Qlik-Xrfkey: Custom HTTP header. The format is as follows:
  • x-Qlik-Xrfkey: <The same 16 characters as used for the Xrfkey parameter>

The only characters that are allowed for use in the Xrfkey parameter are 0 - 9, a - z, and A - Z.

Example:  

The following API call returns all server node configurations in the repository database:

https://localhost:4242/qrs/servernodeconfiguration/full?Xrfkey= abcdefghijklmnop HTTP/1.1
Accept-Encoding: gzip,deflate
X-Qlik-User: UserDirectory=INTERNAL; UserId=sa_repository
Accept-Charset: utf-8; q=0.9, us-ascii;q=0.1, iso-8859-1
Accept: text/xml; q=0.1, application/json; q=0.2
X-Qlik-Xrfkey: abcdefghijklmnop
Host: localhost:4242
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Did this information help you?

Can you tell us why it did not help you and how we can improve it?

Thanks for helping us improve!