The expected behaviour is that every request sent from the browser to the web server should be unique to make it impossible to trick a logged in user to replay sequences of events.
Prior to SR 2 buld 11440, each request is not unique making it possible for an attacker to trick a user into sending requests to the QV server that will be executed.
To enable the feature in QlikView 11 SR 2 11440:
- Locate each webeserver’s config.xml located by default under C:\ProgramData\QlikTech\WebServer.
- Under the element Ajax add the following values in the tag called <CrossSiteRequestForgeryProtection>:
Example:<CrossSiteRequestForgeryProtection> On </ CrossSiteRequestForgeryProtection>
Once changed, save the file and restart the web server service/IIS.
- When set to “On”, it logs one warning (in the QVWS log) about Cross Site Request Forgery attacks and does not pass suspicious requests.
- At “OffWithLogging” it pass through the request but logs information on all sorts Cross Site Request Forgery attacks.
For additional information: