Using Xrfkey headers
A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. To protect against this vulnerability, calls to the Qlik Sense Proxy Service (QPS) API must include the following:
- Xrfkey query parameter: Must equal 16 arbitrary characters. The characters can be changed in-between calls to the API.
- X-Qlik-Xrfkey: Custom HTTP header. The format is as follows:
Xrfkey=<16 arbitrary characters>
X-Qlik-Xrfkey: <the same 16 characters as used for the Xrfkey query parameter>
Example:
The following API call returns all server node configurations in the repository database:
https://localhost:4242/qrs/servernodeconfiguration/full?Xrfkey=abcdefghijklmnop&orderby=name%20asc HTTP/1.1 Accept-Encoding: gzip,deflate X-Qlik-User: UserDirectory=INTERNAL; UserId=sa_repository Accept-Charset: utf-8; q=0.9, us-ascii;q=0.1, iso-8859-1 Accept: text/xml; q=0.1, application/json; q=0.2 X-Qlik-Xrfkey: abcdefghijklmnop Host: localhost:4242 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5)