SAP Knowledge Base Article - Public

3433420 - Automated Scans Doesn’t Return Values of X-Frame-Options for Cloud for Customer

Symptom

  The server did not return an X-Frame-Options header with the value DENY or SAMEORIGIN, which means that the system could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page inside a frame or Iframe.

Environment

SAP - Cloud for Customer

Cause

What confuses automated scans is that no each response has all settings.

Resolution

Cloud for Customer has clickjacking protections in place, we use Javascript, CSP and SAMEORIGIN for the x-frame-options. But when trying to launch Cloud for Customer in an Iframe, nothing will be displayed as normal behavior. 

See Also

3080379 - Customer Penetration Testing Request Process

Keywords

Security, X-Frame-Options, Automated ,Scans ,Iframe ,Cloud for Customer, Clickjacking, attack, Deny, Sameorigin , KBA , LOD-CRM-SEC , Security Topics , How To

Product

SAP Cloud for Customer core applications 2311