2863021 - Configuring Content Security Header policies for a SuccessFactors instance

• Customer has concerns about attacks such as cross site scripting and data injection
• Customer wants further information regarding the security features Referrer Policy and Content Security Policy

SuccessFactors allows the activation of Clickjacking Filter, Security Scan of User Inputs and Content Security Policy.

The Clickjacking Filter is a allowlist-based feature that controls which pages are allowed to render your SAP SuccessFactors pages or features within a frame.

With the Content Security Policy Header, it allows you protect your system from attacks including Cross Site Scripting and data injection by enabling the Content Security Policy in Provisioning. To avoid any unintended blocking of resources in case of Content Security Policy violations, you can add the pages that contain such resources to the allowlist.

As for the Security Scan of User Inputs, you can enable API calls in integration scenarios to transfer data to SAP SuccessFactors HXM Suite that will be validated and harmful content will be filtered.

For detailed information regarding each feature, please refer to their respective documentation in full:

• Clickjacking Filter
• Content Security Policy Header
• Security Scan of User Inputs

Examples of Policy header that can be added in Content Security Policy Header:

• Add XSS protection header - (X-XSS-Protection)
• Add MIME sniffing protection header – (X-Content-Type-Options)

 Setting Up Security Features for SAP SuccessFactors HXM Suite

Enabling Interstitial Pages for External Redirection | SAP Help Portal

Allowing Framing from SAP SuccessFactors Domain Only | SAP Help Portal

security, Referrer Policy, Content Security Policy, SPF-610, SPF-533, Cross Site Scripting, data injection, Clickjacking Filter, Security Scan of User Inputs, sf , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , How To