Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.Join Us
In Qlik Sense, using the default setup, it is possible to embed a Qlik Sense site into an iframe external to the site and, potentially, capture credentials.
The main defense against this potential vulnerability is to set the X-Frame-Options Response Headers in the requests. This governs whether a browser should or should not render a page inside an iFrame.
There are a handful of values which can be configured. The support for those depend on the web browser, so do investigate the type of X-Frame-Option that you are setting.
Using a simple HTML page, you can test for this vulnerability:
<html> <head> <title>Test</title> </head> <body> <p>You've beeen clickjacked!</p> <!-- Edit Server.domain.com to point to your server URL --> <iframe src="https://Server.domain.com/hub" width="500" height="500"></iframe> </body> </html>
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.Submit a case
Experiencing a serious issue, please contact us by phone. View phone numbers and hours by region.