Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What is CSP (Content-Security-Policy) and How does it Relate to Qlik?

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

What is CSP (Content-Security-Policy) and How does it Relate to Qlik?

Last Update:

Sep 20, 2021 9:10:33 AM

Updated By:

Sonja_Bauernfeind

Created date:

Oct 28, 2017 7:36:57 AM

What is CSP (Content-Security-Policy)?

CSP helps to prevent cross-site scripting attacks by controlling what resources a browser can request from a server.

Say a user navigates to https://www.goodpage.com.

The user's browser sends a GET request to https://www.goodpage.com, and the server in-turn responds with resources such as HTML, CSS, images, etc. In a cross-site scripting attack, the browser is tricked into making requests also to an unintended page such as https://evilpage.com. Normally, browsers implement something called the Same Origin Policy; this restricts how scripts from one origin can interact with resources requested from a different origin (a same-origin meaning coming from the same protocol, domain, and port). However, this can be circumvented in various ways that are outside the scope of this article.

What Content-Security-Policy allows a web administrator to do is send a custom set of instructions ("policies") to the browser (via the header, "Content-Security-Policy") that tells the browser to treat resources according to particular rules. For example, it's possible to tell the browser to only execute javascript resources from a specific domain, and if a browser attempts to do this it is also possible to send error reports to a specified URI. If a browser doesn't implement CSP, it will default to the Same Origin Policy.

There is a wealth of information about this available online (such as Mozilla's developer documentation) if you wish to dig further into the specific details of how to implement various Content Security Policies.

How is CSP (Content-Security-Policy) Relevant to Qlik?

Generally speaking, it's not.

CSP is implemented by the browser, and its implementation is therefore going to vary from browser to browser. If there is an issue with CSP or a general question about CSP with a specific browser version, then this is a browser issue and not a Qlik issue.

The only point where Qlik comes into the equation is if Qlik Sense has been configured to send custom response headers (instead of using a frontend web server to do this, which is a better practice). If Qlik Sense is not sending custom response headers at all, then this would be a Qlik problem. Please see How to add additional response headers in Qlik Sense for information on how to send custom response headers in Qlik Sense. Please also see Can QlikView Send Custom HTTP Response Headers? for more information on sending custom headers in Qlikview.

 

Environment:

Qlik Sense Enterprise on Windows 
QlikView 

Qlik Sense Enterprise on Windows
Thumbnail of Qlik Sense Enterprise on Windows
Qlik Sense Enterprise on Windows
QlikView
Thumbnail of QlikView
QlikView
Labels (1)
2,923 Views
Was this article helpful? Yes No
Comments
_rohitgharat
Creator
Creator
‎2022-10-28 07:29 AM

How to add content security policy in response headers?

Sonja_Bauernfeind
Digital Support
Digital Support
‎2022-10-28 07:32 AM

Hello @_rohitgharat 

If you are looking to add custom response headers in Qlik Sense (Enterprise on Windows), see How to add additional response headers in Qlik Sense.

Please note that we cannot advise on what headers to add.

All the best,
Sonja 

Contributors
Version history
Last update:
‎2021-09-20 09:10 AM
Updated by:
Digital Support