QlikWorld 2020 Global Conference. Join us to discover how to get the most from your data. Act fast. Register now and save.

Using Xrfkey headers

A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. To protect against this vulnerability, calls to the Qlik Sense Repository Service (QRS) API must include the following:

  • Xrfkey parameter: Must equal 16 arbitrary characters. The characters can be changed between calls to the API.
  • x-Qlik-Xrfkey: Custom HTTP header. The format is as follows:
  • x-Qlik-Xrfkey: <The same 16 characters as used for the Xrfkey parameter>

Note: The only characters that are allowed for use in the Xrfkey parameter are 0 - 9, a - z, and A - Z.


The following API call returns all server node configurations in the repository database:

https://localhost:4242/qrs/servernodeconfiguration/full?Xrfkey= abcdefghijklmnop HTTP/1.1
Accept-Encoding: gzip,deflate
X-Qlik-User: UserDirectory=INTERNAL; UserId=sa_repository
Accept-Charset: utf-8; q=0.9, us-ascii;q=0.1, iso-8859-1
Accept: text/xml; q=0.1, application/json; q=0.2
X-Qlik-Xrfkey: abcdefghijklmnop
Host: localhost:4242
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?