2863021 - Configuring Content Security Header policies for a SuccessFactors instance

• Customer has concerns about attacks such as cross site scripting and data injection
• Customer wants further information regarding the security features Referrer Policy and Content Security Policy

System release 2H2022 updated and introduced the new opt-in security features for customers, allowing the activation of Clickjacking Filter, Security Scan of User Inputs and Content Security Policy.

The Clickjacking Filter is a allowlist-based feature that controls which pages are allowed to render your SAP SuccessFactors pages or features within a frame.

With the Content Security Policy Header, it allows you protect your system from attacks including Cross Site Scripting and data injection by enabling the Content Security Policy in Provisioning. To avoid any unintended blocking of resources in case of Content Security Policy violations, you can add the pages that contain such resources to the allowlist.

As for the Security Scan of User Inputs, you can enable API calls in integration scenarios to transfer data to SAP SuccessFactors HXM Suite that will be validated and harmful content will be filtered.

For detailed information regarding each feature, please refer to their respective documentation in full:

• Clickjacking Filter
• Content Security Policy Header
• Security Scan of User Inputs

Examples of Policy header that can be added in Content Security Policy Header:

• Add XSS protection header - (X-XSS-Protection)
• Add MIME sniffing protection header – (X-Content-Type-Options)

Note: The Referrer Policy Header was deprecated in 1H2022.

 Setting Up Security Features for SAP SuccessFactors HXM Suite

security, Referrer Policy, Content Security Policy, SPF-610, SPF-533, Cross Site Scripting, data injection, Clickjacking Filter, Security Scan of User Inputs , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , How To