diff --git a/commands/serve/web/components/Hub/SelectEngine/ConnectionGuid.jsx b/commands/serve/web/components/Hub/SelectEngine/ConnectionGuid.jsx
index b113bcab0..22d7a1947 100644
--- a/commands/serve/web/components/Hub/SelectEngine/ConnectionGuid.jsx
+++ b/commands/serve/web/components/Hub/SelectEngine/ConnectionGuid.jsx
@@ -71,6 +71,14 @@ const ConnectionGuid = ({ showGuid }) => (
       <code>{window.location.host}</code> needs to be whitelisted in QMC in your Qlik Sense on Windows deployment. In
       addition, you need to enable <i>Has secure attribute</i> and set <i>SameSite attribute</i> to <i>None</i>.
       <br />
+      Also some &quot;Additional reponse headers&quot; needs to align with the whitelisted domain:
+      <ul>
+        <li>
+          Access-Control-Allow-Origin: <code>{window.location.host}</code>
+        </li>
+        <li>Access-Control-Allow-Credentials: true</li>
+        <li>Access-Control-Expose-Headers: qlik-csrf-token</li>
+      </ul>
       Make sure you are logged in to Qlik Sense in another browser tab.
     </Typography>
     <Typography variant="subtitle1" gutterBottom>
diff --git a/commands/serve/web/connect.js b/commands/serve/web/connect.js
index 9a0ea6ea2..c49484bd9 100644
--- a/commands/serve/web/connect.js
+++ b/commands/serve/web/connect.js
@@ -168,7 +168,9 @@ const connect = async () => {
       };
     }
 
-    const csrfToken = await getCsrfToken(`https://${enigmaInfo.host}/${enigmaInfo.prefix}`);
+    const csrfToken = await getCsrfToken(
+      `https://${enigmaInfo.host}${enigmaInfo.prefix ? `/${enigmaInfo.prefix}` : ''}`
+    );
     const url = SenseUtilities.buildUrl({
       secure: false,
       ...enigmaInfo,
diff --git a/commands/serve/web/hooks/useOpenApp.js b/commands/serve/web/hooks/useOpenApp.js
index fff9c62d8..166a984cc 100644
--- a/commands/serve/web/hooks/useOpenApp.js
+++ b/commands/serve/web/hooks/useOpenApp.js
@@ -30,7 +30,9 @@ export const useOpenApp = ({ info }) => {
         const { webSocketUrl } = await (await fetch(`/auth/getSocketUrl/${info?.enigma.appId}`)).json();
         url = webSocketUrl;
       } else {
-        const csrfToken = await getCsrfToken(`https://${enigmaInfo.host}/${enigmaInfo.prefix}`);
+        const csrfToken = await getCsrfToken(
+          `https://${enigmaInfo.host}${enigmaInfo.prefix ? `/${enigmaInfo.prefix}` : ''}`
+        );
         url = SenseUtilities.buildUrl({ ...enigmaInfo, ...{ urlParams: { 'qlik-csrf-token': csrfToken } } });
       }
 
diff --git a/commands/serve/web/utils/getCsrfToken.js b/commands/serve/web/utils/getCsrfToken.js
index 9288b259e..27aa1fd70 100644
--- a/commands/serve/web/utils/getCsrfToken.js
+++ b/commands/serve/web/utils/getCsrfToken.js
@@ -1,7 +1,11 @@
 export default async function getCsrfToken(host) {
   try {
     const res = await fetch(`${host}/qps/csrftoken`, { credentials: 'include' });
-    return res.headers.get('QLIK-CSRF-TOKEN');
+    const token = res.headers.get('QLIK-CSRF-TOKEN');
+    if (token) {
+      return token;
+    }
+    return '';
   } catch (err) {
     console.log('Failed to fetch csrf-token', err);
   }