2088904 - Configuring Clickjacking filter for a SuccessFactors instance - BizX Platform

• How to prevent clickjacking attack in SAP SuccessFactors?
• How to configure Clickjack filter?
• How to confirm if  Clickjack filter is enabled?

SAP SuccessFactors HCM Suite

• The Clickjack Filter is an opt-in feature. Contact your Partner or create a case under LOD-SF-PLT requesting the enablement of the feature in Provisioning.
• This filter will set the proper browser response header that instruct the browser to not allow framing from other domains, but only accept the one that is trusted as specified in the token.
• When it is enabled, there will be “X-FRAME-OPTIONS” in the response headers.

There are currently two options for customer to consider:

1. If there's no need to view SF application via iframe, select "Same Original Domain Only". In this situation, the filter will never allow any untrusted domain iframe BizX application including customer's site.

1. To view SF application via iframe, then the "Define Trusted Domain" option should be selected. For not supported browsers, it will not be totally safe from ClickjackFilter attack even enabling the filter due to the limitation of the browser header.

Visit the help portal guide for details on how to enable this feature and more: Clickjacking Filter

Help Portal - Clickjacking Filter

Clickjacking, security, attack, SuccessFactors, BizX, Same Original Domain Only, Define Trusted Domain, sf bizx system/platform,sf security , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , How To