SAP Knowledge Base Article - Public

2088904 - Configuring Clickjacking filter for a SuccessFactors instance - BizX Platform


Customer has concerns about clickjacking attack and would like to know more about Clickjack filter settings.


SAP SuccessFactors HXM Suite


  • The Clickjack Filter is an opt-in feature. If customer concerns about clickjacking attack, they need to contact their Partner or report an case under LOD-SF-PLT for the support team to enable the feature in Provisioning.
  • This filter will set the proper browser response header that instruct the browser to not allow framing from other domains, but only accept the one that is trusted as specified in the token.

There are currently two options for customer to consider:

  1. When you don't need to view SF application via iframe, you will need to select "Same Original Domain Only". In this situation, the filter will never allow any untrusted domain iframe BizX application including customer's site.
  1. If you need to view SF application via iframe, then the "Define Trusted Domain" option should be selected. For not supported browsers, it will not be totally safe from ClickjackFilter attack even enabling the filter due to the limitation of the browser header.

Please visit the help portal guide for details on how to enable this feature and more: Clickjacking Filter


See Also

Clickjacking Filter


Clickjacking, security, attack, SuccessFactors, BizX, Same Original Domain Only, Define Trusted Domain , KBA , sf bizx system/platform , sf security , LOD-SF-PLT , Platform Foundational Capabilities , How To


SAP SuccessFactors HCM all versions