Symptom
Customer reports not to see the Missing "X-Frame-Options" Header parameter in any screen.
Environment
SAP Cloud for Customer
Resolution
We have several different features working together to protect the application:
- Content Security Policy header
- Clickjacking protections via code in the first request that shows the logon screen
- strict-transport-security: max-age=31536000 ; includeSubDomains
- x-content-type-options: nosniff
- x-frame-options: SAMEORIGIN
We don't use X-XSS-Protections. Those headers are not present in all requests, you would have to trace through a logon process and check several of the requests to see all the headers.
For example:
Request URL: https://<your system>/sap/ap/ui/clogin?saml2=disabled
Method: GET
content-security-policy: frame-ancestors ...
strict-transport-security: max-age=31536000 ; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
We run a minimum of one external penetration test per year + several internal tests to verify our protections.
To protect against clickjacking, we use a combination of solutions such as CSS+javascript and the X-Frame-Options set to SAMEORIGIN. It is not possible to launch C4C in a frame.
The X-Frame-Option header is set to select responses during the logon step.
Keywords
X-Frame-Options; Header; Missing; parameter; screen; penetration; test; security; protect. , KBA , AP-RC-UIF , C4C UI Framework , How To