Embed analytics with anonymous access on Qlik Sense Enterprise client-managed

What you’ll learn

• How anonymous access works on Qlik Sense Enterprise client-managed.
• How to configure a virtual proxy in the Qlik Management Console (QMC) for anonymous access.
• How to configure qlik-embed to connect to an anonymous virtual proxy.
• How to handle cross-domain embedding without user login.
• Common mistakes and how to avoid them.

How anonymous access works on client-managed

Anonymous access on Qlik Sense Enterprise client-managed is session-based. When a browser requests content through an anonymous-enabled virtual proxy, Qlik Sense creates an anonymous session and issues a session cookie, without requiring a login prompt. This is different from Qlik Cloud anonymous access, which uses OAuth2 and is only available on cloud tenants.

Prerequisites

• Qlik Sense Enterprise for Windows with Analyzer Capacity, or Qlik Analytics Platform (QAP). Named User licenses do not support anonymous sessions.
• Administrator access to the QMC.
• A published Qlik Sense app that anonymous users can access.
• HTTPS on both the Qlik Sense server and the embedding site (required for SameSite=None cookies used in cross-domain scenarios).
• A trusted HTTPS certificate (browser security restrictions commonly cause issues loading cross-site content with untrusted or expired certificates).

Architecture overview

An anonymous embed setup has three components:

1. An anonymous virtual proxy configured in the QMC. All anonymous browser requests pass through this virtual proxy, which grants a session without requiring credentials.
2. A Qlik Sense app published so that anonymous users can open it.
3. An embedding site that loads qlik-embed and points it to the anonymous virtual proxy.

If your embedding site is on a different domain from your Qlik Sense server (cross-domain), you must also configure CORS headers and SameSite=None cookies on the virtual proxy, and optionally use a reverse proxy.

Choose your hosting approach

You can host the HTML page that contains your qlik-embed components in two ways:

• Standalone web server: a separate web server (for example, Nginx, Apache, or a Node.js application server) that serves your embedding site independently of Qlik Sense. This is the recommended approach for most deployments.
• Qlik Sense extension server: upload your HTML, JavaScript, and CSS files as a Qlik Sense extension, which makes them available at a path under the Qlik Sense server itself. Because the embedding page is served from the same origin as Qlik Sense, you do not need CORS headers or SameSite=None cookies. This pattern is supported and works well for simple or proof-of-concept pages with no backend logic.

Step 1: Create an anonymous virtual proxy in the QMC

Create a dedicated virtual proxy for anonymous access. Do not modify your existing default virtual proxy, as this would affect all authenticated users.

1. Open the QMC and go to Virtual proxies.

2. Select Create new.

3. Fill in the following required fields:

   • Description: for example, Anonymous embed proxy.
   • Prefix: the path segment that identifies this proxy, for example anonym. Browsers will reach Qlik Sense through https://<your-server>/anonym.
   • Session cookie header name: for example, X-Qlik-Session-Anonym.

4. Under Authentication, set Anonymous access mode to Allow anonymous users (sometimes shown as Always anonymous). This tells Qlik Sense to grant a session without prompting for credentials.

5. Select Advanced to open the advanced settings panel.

6. Add the anonymous access load balancing condition. In the Load balancing section, set the node condition to:

   user.isAnonymous()

   This routes anonymous sessions to the correct engine node.

7. Under Advanced, locate Additional response headers and add the following headers, replacing https://<your-embedding-site> with the actual origin of your embedding site:

   Access-Control-Allow-Origin: https://<your-embedding-site>
   Access-Control-Allow-Credentials: true
   Access-Control-Expose-Headers: Qlik-Csrf-Token

   Exact origin required

   The Access-Control-Allow-Origin header must contain an exact origin with scheme, hostname, and optional port. Wildcards (*) cannot be combined with Access-Control-Allow-Credentials: true and will cause CORS failures.

8. Under Advanced, add your embedding site to the Host allow list. Enter the full origin, for example https://<your-embedding-site>.

9. Set the SameSite cookie attribute to None, and also set the Secure flag (both are required for cross-domain cookie exchange). Both settings together require HTTPS on both your embedding site and the Qlik Sense server.

10. Select Apply.

11. Link the new virtual proxy to the correct proxy: go to Proxies, open the proxy service (typically the central node), and select Associate items to link the new anonymous virtual proxy.

Step 2: Publish the app for anonymous access

Anonymous users can only open apps that are published to a stream they have access to. Ensure the stream has read access for anonymous users.

1. In the QMC, go to Streams.

2. Open or create the stream that holds the app you want to embed.

3. Under Security rules, add a rule that grants anonymous users read access. For example:

   ((user.IsAnonymous()=true))

   with the Read action selected.

4. Publish the target app to that stream.

Step 3: Configure qlik-embed on your embedding site

Add the qlik-embed script tag to the <head> of your embedding page. Point data-host and data-login-uri to the anonymous virtual proxy URL you created in step 1.

<script
  crossorigin="anonymous"
  type="application/javascript"
  src="https://cdn.jsdelivr.net/npm/@qlik/embed-web-components@1/dist/index.min.js"
  data-host="https://<your-qlik-server>/anonym"
  data-login-uri="https://<your-qlik-server>/anonym"
  data-cross-site-cookies="true"
></script>

Replace <your-qlik-server> with your Qlik Sense server hostname, and anonym with the prefix you chose in step 1.

• data-host: the base URL of the Qlik Sense server, including the virtual proxy prefix.
• data-login-uri: the URL qlik-embed calls to establish a session. For anonymous access, this must point to the anonymous virtual proxy so that Qlik Sense issues an anonymous session cookie rather than redirecting to a login page.
• data-cross-site-cookies="true": required when the embedding page and the Qlik Sense server are on different domains. This tells qlik-embed to handle cross-site cookie exchange. Omit this attribute if embedding from the same domain.

Step 4: Add an embedded visualization

In the <body> of your page, add a qlik-embed web component. Replace <APP-ID> and <OBJECT-ID> with the IDs from your Qlik Sense app.

<qlik-embed
  ui="analytics/chart"
  app-id="<APP-ID>"
  object-id="<OBJECT-ID>"
></qlik-embed>

For more information about UIs and parameters, see UIs and parameters.

Security considerations

When using a reverse proxy in front of Qlik Sense, configure the reverse proxy to strip any X-Qlik-User headers from incoming client requests before forwarding them to Qlik Sense. This prevents clients from injecting a user identity, which would bypass the anonymous session mechanism.

For header-based authentication setups where you inject a shared static identity (for example, UserDirectory=PUBLIC;UserId=anonymous), the reverse proxy is the enforcement point. If the proxy does not strip client-supplied headers, any user can impersonate that identity.

Troubleshooting

Next steps

• UIs and parameters: explore all available qlik-embed components and their configuration options.
• Configure Qlik Sense Enterprise client-managed: review cross-domain setup requirements for authenticated sessions.
• Auth overview: compare all available authentication options for qlik-embed.