Qommentary
Qommentary
QommentaryQommentary Admin ConsoleQommentary InsightsQommentary TableQommentary Pivot TableQommentary WritebackQommentary Form
Qommentary
QommentaryQommentary Admin ConsoleQommentary InsightsQommentary TableQommentary Pivot TableQommentary WritebackQommentary Form
  • Welcome
  • Getting started
    • Prerequisites
      • Client Certificates
      • Software dependencies
    • Installing
      • SSL Certificates
      • Uninstalling
    • Configuration
    • Upgrades
      • Qlik Sense
        • WebSocket CSRF protection
    • Uninstalling
    • Troubleshooting
      • Common Issues
      • Logs
      • Qlik Sense connectivity
  • What's New
    • Release Notes
      • v25.1.0
      • v23.2.0
      • v23.1.0
        • v23.1.1
        • v23.1.2
        • v23.1.3
        • v23.1.4
      • v22.3.0
      • v22.1.0
      • v21.4.0
        • v21.4.1
      • v21.3.0
      • v21.2.0
        • v21.2.1
        • v21.2.2
      • v21.1.0
        • v21.1.1
        • v21.1.2
      • v20.4.0
        • v20.4.1
      • v20.3.0
      • v20.2.0
  • User guides
    • Qommentary Admin Console
    • Qommentary Insights
    • Qommentary Table
    • Qommentary Pivot Table
    • Qommentary Writeback
    • Qommentary Form
  • Platform Architecture
    • Deployments
    • Disaster Recovery
    • Mirroring Sites
    • Migrations
  • Utilities
    • User Sync Utility
    • DB Connection Utility
  • SUPPORT
    • Submit a ticket
Powered by GitBook
On this page
  • What Changed in November 2024?
  • Why Are These Headers Required?
  • Why Didn’t You Need This Before?
  • Solution

Was this helpful?

  1. Getting started
  2. Upgrades
  3. Qlik Sense

WebSocket CSRF protection

Before the Qlik Sense November 2024 release, WebSockets did not require CSRF protection. However, in the November 2024 update, Qlik extended CSRF protection to WebSocket connections for enhanced security.

What Changed in November 2024?

  1. WebSocket Requests Are Now Subject to CSRF Protection

    • Previously, CSRF protection applied only to HTTP API requests.

    • Now, WebSockets also require CSRF tokens to prevent unauthorized cross-site requests.

  2. Stricter Browser Security Policies

    • Some modern browsers, like Chrome and Edge, enforce stricter cross-site WebSocket security.

    • Without explicit CORS headers allowing credentials, the browser blocks WebSocket connections.

  3. Qlik Now Requires CSRF Token Handling for WebSockets

    • When the Qommentary Admin Console loads require.js from Qlik, it initiates a WebSocket connection.

    • Qlik expects a CSRF token, but without the correct headers, your browser blocks the connection.

Why Are These Headers Required?

Header

Purpose

Access-Control-Allow-Origin: http://qommentary:5006

Allows the mashup (running in the browser) to access Qlik resources.

Access-Control-Allow-Credentials: true

Ensures cookies (including session authentication) are sent with WebSocket requests.

Access-Control-Expose-Headers: qlik-csrf-token

Allows the browser to read the CSRF token from the WebSocket response.

Why Didn’t You Need This Before?

  • Pre-Nov 2024:

    • WebSockets bypassed CSRF checks.

    • Qlik didn’t require CSRF tokens for WebSockets.

    • Your browser allowed the connection without extra headers.

  • Post-Nov 2024:

    • Qlik enforces CSRF protection on all WebSocket connections.

    • The browser rejects WebSocket requests if the required headers are missing.

Solution

To restore functionality, you must manually allow cross-origin WebSocket requests in Qlik Sense:

  1. Go to QMC → Virtual Proxy → Advanced Settings.

  2. Add these headers under "Additional Response Headers":

    Access-Control-Allow-Origin: http://qommentary:5006
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: qlik-csrf-token

  3. Apply changes and restart Qlik services.

PreviousQlik SenseNextUninstalling

Last updated 3 days ago

Was this helpful?