Symptom
- How to prevent clickjacking attack in SAP SuccessFactors?
- How to configure Clickjack filter?
- How to confirm if Clickjack filter is enabled?
Environment
SAP SuccessFactors HCM Suite
Resolution
- The Clickjack Filter is an opt-in feature. Contact your Partner or create a case under LOD-SF-PLT requesting the enablement of the feature in Provisioning.
- This filter will set the proper browser response header that instruct the browser to not allow framing from other domains, but only accept the one that is trusted as specified in the token.
- When it is enabled, there will be “X-FRAME-OPTIONS” in the response headers.
There are currently two options for customer to consider:
- If there's no need to view SF application via iframe, select "Same Original Domain Only". In this situation, the filter will never allow any untrusted domain iframe BizX application including customer's site.
- To view SF application via iframe, then the "Define Trusted Domain" option should be selected. For not supported browsers, it will not be totally safe from ClickjackFilter attack even enabling the filter due to the limitation of the browser header.
Visit the help portal guide for details on how to enable this feature and more: Clickjacking Filter
See Also
Help Portal - Clickjacking Filter
Keywords
Clickjacking, security, attack, SuccessFactors, BizX, Same Original Domain Only, Define Trusted Domain, sf bizx system/platform,sf security , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , How To
Product
SAP SuccessFactors HCM Suite all versions
SAP Knowledge Base Article - Public