SAP Knowledge Base Article - Public

2863021 - Configuring Referrer Header and Content Security Header policies for a SuccessFactors instance


  • Customer has concerns about attacks such as cross site scripting and data injection
  • Customer has concerns about disclosure of confidential information through the referrer header when directed to an external website
  • Customer wants further information regarding the security features Referrer Policy and Content Security Policy


SAP SuccessFactors HXM Suite


System release b1911 introduced two new opt-in security features for customers, allowing the activation of Referrer Policy and Content Security Policy.

With the Referrer Policy Header, you can protect your confidential information being disclosed through the referrer header when you are directed to an external website by enabling the Referrer Policy in Provisioning. You can also add trusted exceptions to the allowlist.

As for the Content Security Policy Header, it allows you protect your system from attacks including Cross Site Scripting and data injection by enabling the Content Security Policy in Provisioning. To avoid any unintended blocking of resources in case of Content Security Policy violations, you can add the pages that contain such resources to the allowlist.

For detailed information regarding each feature, please refer to their respective documentation in full:

Examples of Policy header that can be added in Content Security Policy Header:

  • Add XSS protection header - (X-XSS-Protection)
  • Add MIME sniffing protection header – (X-Content-Type-Options)

See Also

 Setting Up Security Features for SAP SuccessFactors HXM Suite


security, Referrer Policy, Content Security Policy, SPF-610, SPF-533, Cross Site Scripting, data injection , KBA , LOD-SF-PLT-SEC , Security Reports , How To


SAP SuccessFactors HXM Suite all versions