# WebSocket CSRF protection Before the **Qlik Sense November 2024 release**, WebSockets **did not require CSRF protection**. However, in the **November 2024 update**, Qlik **extended CSRF protection to WebSocket connections** for enhanced security. ### **What Changed in November 2024?** 1. **WebSocket Requests Are Now Subject to CSRF Protection** * Previously, CSRF protection applied **only to HTTP API requests**. * Now, **WebSockets also require CSRF tokens** to prevent unauthorized cross-site requests. 2. **Stricter Browser Security Policies** * Some modern browsers, like Chrome and Edge, enforce **stricter cross-site WebSocket security**. * Without explicit **CORS headers** allowing credentials, the browser **blocks WebSocket connections**. 3. **Qlik Now Requires CSRF Token Handling for WebSockets** * When the Qommentary Admin Console **loads `require.js` from Qlik**, it initiates a WebSocket connection. * Qlik **expects a CSRF token**, but without the correct headers, your browser **blocks the connection**. *** ### **Why Are These Headers Required?** | **Header** | **Purpose** | | ----------------------------------------------------- | ------------------------------------------------------------------------------------ | | `Access-Control-Allow-Origin: http://qommentary:5006` | Allows the mashup (running in the browser) to access Qlik resources. | | `Access-Control-Allow-Credentials: true` | Ensures cookies (including session authentication) are sent with WebSocket requests. | | `Access-Control-Expose-Headers: qlik-csrf-token` | Allows the browser to read the CSRF token from the WebSocket response. | *** ### **Why Didn’t You Need This Before?** * **Pre-Nov 2024:** * WebSockets bypassed CSRF checks. * Qlik didn’t require CSRF tokens for WebSockets. * Your browser allowed the connection without extra headers. * **Post-Nov 2024:** * Qlik enforces CSRF protection on **all WebSocket connections**. * The browser **rejects** WebSocket requests if the required headers are missing. *** ### **Solution** To restore functionality, you must **manually allow cross-origin WebSocket requests** in Qlik Sense: 1. **Go to QMC → Virtual Proxy → Advanced Settings**. 2. **Add these headers under "Additional Response Headers":** ``` Access-Control-Allow-Origin: http://qommentary:5006 Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: qlik-csrf-token ``` 3. **Apply changes and restart Qlik services**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://knowledgebase.qommentary.com/getting-started/upgrades/qlik-sense/websocket-csrf-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.