Protection Against Clickjacking (Framing Protection)

Clickjacking is an attempt to trick users into clicking hidden user interface elements without the user realizing it. The user thinks he or she is clicking on the underlying frame, but is actually clicking on an action chosen by the attacker.

To prevent malicious applications from using the Portal for clickjacking attacks, protect the Portal applications by enabling clickjacking framing protection.

Clickjacking framing protection ensures that your application only runs in trusted environments when other applications frame it. If clickjacking framing protection determines it is not already in a safe environment, clickjacking framing protection detects the origin of the framing window and compares it against a fixed value or list. The function prevents Portal applications from being embedded into other web applications, unless you trust the application source. You define trusted domains in a whitelist for clickjacking framing protection.

To enable clickjacking framing protection for the Portal, do the following:

1. Open the SAP NetWeaver Administrator and open the JAVA application com.sap.portal.runtime.clickjacking.

2. Set the EPClickjackingProtectionService parameter to true.

3. Save your changes and restart the service.