Skip to main content

X-Qlik-Security header

Requests sent to external modules, the Qlik Sense Repository Service (QRS), Qlik Management Console (QMC), and Qlik Sense Engine Service (QES) have the X-Qlik-Security header injected.

The header has the following format:

X-Qlik-Security: SecureRequest=true; Context=ManagementAccess; TicketAttribute1=TicketValue1; TicketAttribute2=; … TicketAttributen=TicketValuen;

where:

  • SecureRequest: True or false
  • Context: ManagementAccess (for QMC access) or AppAccess (for QES access)
  • TicketAttributex and TicketValuex are the ones posted along with the user ID via the Authentication API when Authentication modules create tickets for users. Ticket attributes with empty values use the “=” (equal) sign (for example, see TicketAttribute2 above).

If the Extended security environment setting has been enabled in the QMC, the header has the following format:

X-Qlik-Security: OS=Windows; Device=Default; Browser=Chrome 21.0.1180.79; SecureRequest=true; IP=10.88.3.35; Context=ManagementAccess; TicketAttribute1=TicketValue1; TicketAttribute2=; … TicketAttributen=TicketValuen;

where:

  • OS: Windows, Linux, Mac OS X, or Unknown
  • Device: iPhone, iPad, or Default
  • Browser: Chrome, Firefox, Safari, MSIE, or Unknown followed by version number
  • IP: IP number