Symptom
The server did not return an X-Frame-Options header with the value DENY or SAMEORIGIN, which means that the system could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page inside a frame or Iframe.
Environment
SAP - Cloud for Customer
Cause
What confuses automated scans is that no each response has all settings.
Resolution
Cloud for Customer has clickjacking protections in place, we use Javascript, CSP and SAMEORIGIN for the x-frame-options. But when trying to launch Cloud for Customer in an Iframe, nothing will be displayed as normal behavior.
See Also
Keywords
Security, X-Frame-Options, Automated ,Scans ,Iframe ,Cloud for Customer, Clickjacking, attack, Deny, Sameorigin , KBA , LOD-CRM-SEC , Security Topics , How To