SAP Knowledge Base Article - Public

2088904 - Configuring Clickjacking filter for a SuccessFactors instance - BizX Platform

Symptom

Customer has concerns about clickjacking attack and would like to know more about Clickjack filter settings.

Environment

SAP SuccessFactors HXM Suite

Resolution

  • The Clickjack Filter is an opt-in feature. If customer concerns about clickjacking attack, they need to contact their Partner or report an incident under LOD-SF-PLT for the support team to enable the feature in Provisioning.
  • This filter will set the proper browser response header that instruct the browser to not allow framing from other domains, but only accept the one that is trusted as specified in the token.

There are currently two options for customer to consider:

  1. When you don't need to view SF application via iframe, you will need to select "Same Original Domain Only". In this situation, the filter will never allow any untrusted domain iframe BizX application including customer's site.
  1. If you need to view SF application via iframe, then the "Define Trusted Domain" option should be selected. For not supported browsers, it will not be totally safe from ClickjackFilter attack even enabling the filter due to the limitation of the browser header.

Please visit the help portal guide for details on how to enable this feature and more: Clickjacking Filter

 

See Also

Clickjacking Filter

Keywords

Clickjacking, security, attack, SuccessFactors, BizX, Same Original Domain Only, Define Trusted Domain , KBA , sf bizx system/platform , sf security , LOD-SF-PLT , Platform Foundational Capabilities , How To

Product

SAP SuccessFactors HXM Suite all versions