- Customer has concerns about attacks such as cross site scripting and data injection
- Customer has concerns about disclosure of confidential information through the referrer header when directed to an external website
- Customer wants further information regarding the security features Referrer Policy and Content Security Policy
SAP SuccessFactors HXM Suite
System release b1911 introduced two new opt-in security features for customers, allowing the activation of Referrer Policy and Content Security Policy.
With the Referrer Policy Header, you can protect your confidential information being disclosed through the referrer header when you are directed to an external website by enabling the Referrer Policy in Provisioning. You can also add trusted exceptions to the allowlist.
As for the Content Security Policy Header, it allows you protect your system from attacks including Cross Site Scripting and data injection by enabling the Content Security Policy in Provisioning. To avoid any unintended blocking of resources in case of Content Security Policy violations, you can add the pages that contain such resources to the allowlist.
For detailed information regarding each feature, please refer to their respective documentation in full:
Examples of Policy header that can be added in Content Security Policy Header:
- Add XSS protection header - (X-XSS-Protection)
- Add MIME sniffing protection header – (X-Content-Type-Options)
security, Referrer Policy, Content Security Policy, SPF-610, SPF-533, Cross Site Scripting, data injection , KBA , LOD-SF-PLT-SEC , Security & Permissions , How To