Requests sent to external modules, the Qlik Sense Repository Service (QRS), Qlik Management Console (QMC), and Qlik Sense Engine Service (QES) have the X-Qlik-Security header injected.
The header has the following format:
X-Qlik-Security: SecureRequest=true; Context=ManagementAccess; TicketAttribute1=TicketValue1; TicketAttribute2=; … TicketAttributen=TicketValuen;
where:
- SecureRequest: True or false
- Context: ManagementAccess (for QMC access) or AppAccess (for QES access)
- TicketAttributex and TicketValuex are the ones posted along with the user ID via the Authentication API when Authentication modules create tickets for users. Ticket attributes with empty values use the “=” (equal) sign (for example, see TicketAttribute2 above).
If the Extended security environment setting has been enabled in the QMC, the header has the following format:
X-Qlik-Security: OS=Windows; Device=Default; Browser=Chrome 21.0.1180.79; SecureRequest=true; IP=10.88.3.35; Context=ManagementAccess; TicketAttribute1=TicketValue1; TicketAttribute2=; … TicketAttributen=TicketValuen;
where:
- OS: Windows, Linux, macOS X, or Unknown
- Device: iPhone, iPad, or Default
- Browser: Chrome, Firefox, Safari, MSIE, or Unknown followed by version number
- IP: IP number