Note: This feature is available in QlikView v11.00 SR2 and higher version

Background

To protect Qlikview documents available through the AccessPoint against CSRF vulnerabilities, see ref [1], Qlikview server administrators have the ability to enable Cross-Site Request Forgery (CSRF) Protection through the Qlikview webserver configuration file.

Limitations

The CSRF protection is only applied while displaying and performing actions on an open Qlikview document, and not while browsing the AccessPoint page. The reason is, from a security point of view, no critical modifications can be performed in the AccessPoint through a CSRF vulnerability.
CSRF protection tokens are present in all document action (HTTP) requests independent of if the feature is enabled or disabled, but the tokens are only validated, and thus provide CSRF protection, by the webserver if the CSRF protection feature is enabled.

Configuration

In the Qlikview webserver configuration file [ProgramData\QlikTech\WebServer\config.xml], edit the setting <CrossSiteRequestForgeryProtection>Off</CrossSiteRequestForgeryProtection> to <CrossSiteRequestForgeryProtection>on</CrossSiteRequestForgeryProtection>. Please note that the CSRF protection feature is disabled (set to off) by default. After editing config.xml make sure that the QlikView WebServer Service/Qlikview Setting Service/IIS is restarted for the modifications to be applied. 

Verification

When CSRF protection is enabled, the webserver verifies that the xrfkey token value in the POST request address matches the token value in the xrfkey cookie. If a mismatch is detected the request will be rejected by the webserver.




 

References

[1] Top 10 2013 A8 Cross-Site Request Forgery, https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_%28CSRF%29