SAP Knowledge Base Article - Public

2863021 - Configuring Referrer Header and Content Security Header policies for a SuccessFactors instance

Symptom

  • Customer has concerns about attacks such as cross site scripting and data injection
  • Customer has concerns about disclosure of confidential information through the referrer header when directed to an external website
  • Customer wants further information regarding the security features Referrer Policy and Content Security Policy

Environment

SAP SuccessFactors HXM Suite

Resolution

System release b1911 introduced two new opt-in security features for customers, allowing the activation of Referrer Policy and Content Security Policy.

With the Referrer Policy Header, you can protect your confidential information being disclosed through the referrer header when you are directed to an external website by enabling the Referrer Policy in Provisioning. You can also add trusted exceptions to the whitelist.

As for the Content Security Policy Header, it allows you protect your system from attacks including Cross Site Scripting and data injection by enabling the Content Security Policy in Provisioning. To avoid any unintended blocking of resources in case of Content Security Policy violations, you can add the pages that contain such resources to the whitelist.

For detailed information regarding each feature, please refer to their respective documentation in full:

Keywords

security, Referrer Policy, Content Security Policy, SPF-610, SPF-533, Cross Site Scripting, data injection , KBA , LOD-SF-PLT-SEC , Security & Permissions , How To

Product

SAP SuccessFactors HXM Suite all versions