3468400 - Missing "X-Frame-Options" Header Parameter In All Screens

Customer reports not to see the Missing "X-Frame-Options" Header parameter in any screen.

SAP Cloud for Customer

We have several different features working together to protect the application:

• Content Security Policy header
• Clickjacking protections via code in the first request that shows the logon screen
• strict-transport-security: max-age=31536000 ; includeSubDomains
• x-content-type-options: nosniff
• x-frame-options: SAMEORIGIN

We don't use X-XSS-Protections. Those headers are not present in all requests, you would have to trace through a logon process and check several of the requests to see all the headers.

For example:
Request URL:  https://<your system>/sap/ap/ui/clogin?saml2=disabled
Method: GET

content-security-policy: frame-ancestors ...
strict-transport-security: max-age=31536000 ; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

We run a minimum of one external penetration test per year + several internal tests to verify our protections.

To protect against clickjacking, we use a combination of solutions such as CSS+javascript and the X-Frame-Options set to SAMEORIGIN. It is not possible to launch C4C in a frame.

The X-Frame-Option header is set to select responses during the logon step. 

X-Frame-Options; Header; Missing; parameter; screen; penetration; test; security; protect.  , KBA , AP-RC-UIF , C4C UI Framework , How To