SAP Knowledge Base Article - Preview

3108796 - Missing X-Frame-Options / X-XSS-Protection header in Cloud Portal/SAP Build Work Zone, standard edition running in BTP Cloud Foundry

Symptom

After penetration testing against site created in Cloud Portal Service/SAP Build Work Zone, standard edition, running on BTP Cloud Foundry, following security risk get detected:
--------------------------------------------------------------------------------------------------------
Findings: Missing X-XSS-Protection Header
Risk Level: Low
Impact URL(s): <site URL>
 
Observations:
We detected a missing X-XSS-Protection header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.  
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected XSS attacks.
 
Recommendations:
It is recommended that the following be implemented:
• Add the X-XSS-Protection header with a value of "1; mode= block".
--------------------------------------------------------------------------------------------------------

or 
--------------------------------------------------------------------------------------------------------
Findings: X-Frame-Options header not Implemented
Risk Level: Low
Impact URL(s): <site URL>

Recommendations:
It is recommended to implement X-Frame-Options on server side HTTPS response.
--------------------------------------------------------------------------------------------------------


Read more...

Environment

  • SAP BTP Cloud Portal Service running in Cloud Foundry(CF)
  • SAP Build Work Zone, standard edition

Product

BTP 1.00

Keywords

CF, missing header, header is missing, lacking, neo, launchpad service, X-Frame-Options, deny, script-src, default-src, connect-src, img-src, frame-src, style-src, font-src, worker-src, frame-ancestors , KBA , EP-WZ-ASH , Workzone Approuter(not standalone),Activation,HTMLBootstrap , EP-CPP-CF-LP , Launchpad Content (Apps, Groups, Catalogs, Roles) , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.