# WebSocket CSRF protection Before the **Qlik Sense November 2024 release**, WebSockets **did not require CSRF protection**. However, in the **November 2024 update**, Qlik **extended CSRF protection to WebSocket connections** for enhanced security. ### **What Changed in November 2024?** 1. **WebSocket Requests Are Now Subject to CSRF Protection** * Previously, CSRF protection applied **only to HTTP API requests**. * Now, **WebSockets also require CSRF tokens** to prevent unauthorized cross-site requests. 2. **Stricter Browser Security Policies** * Some modern browsers, like Chrome and Edge, enforce **stricter cross-site WebSocket security**. * Without explicit **CORS headers** allowing credentials, the browser **blocks WebSocket connections**. 3. **Qlik Now Requires CSRF Token Handling for WebSockets** * When the Qommentary Admin Console **loads `require.js` from Qlik**, it initiates a WebSocket connection. * Qlik **expects a CSRF token**, but without the correct headers, your browser **blocks the connection**. *** ### **Why Are These Headers Required?** | **Header** | **Purpose** | | ----------------------------------------------------- | ------------------------------------------------------------------------------------ | | `Access-Control-Allow-Origin: http://qommentary:5006` | Allows the mashup (running in the browser) to access Qlik resources. | | `Access-Control-Allow-Credentials: true` | Ensures cookies (including session authentication) are sent with WebSocket requests. | | `Access-Control-Expose-Headers: qlik-csrf-token` | Allows the browser to read the CSRF token from the WebSocket response. | *** ### **Why Didn’t You Need This Before?** * **Pre-Nov 2024:** * WebSockets bypassed CSRF checks. * Qlik didn’t require CSRF tokens for WebSockets. * Your browser allowed the connection without extra headers. * **Post-Nov 2024:** * Qlik enforces CSRF protection on **all WebSocket connections**. * The browser **rejects** WebSocket requests if the required headers are missing. *** ### **Solution** To restore functionality, you must **manually allow cross-origin WebSocket requests** in Qlik Sense: 1. **Go to QMC → Virtual Proxy → Advanced Settings**. 2. **Add these headers under "Additional Response Headers":** ``` Access-Control-Allow-Origin: http://qommentary:5006 Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: qlik-csrf-token ``` 3. **Apply changes and restart Qlik services**.