Protection Against Clickjacking (Framing Protection)

Clickjacking is an attempt to trick users into clicking hidden or masked user interface elements without the user realizing it. The user thinks he or she is clicking on the underlying element in the presented context, but is actually clicking on an action chosen by the attacker.

To prevent malicious applications from using SAP NetWeaver Business Client (NWBC) for HTML for clickjacking attacks, protect the NWBC for HTML applications by enabling clickjacking framing protection.

Clickjacking framing protection ensures that your application only runs in trusted environments when other applications frame it. If clickjacking framing protection determines it is not already in a safe environment, clickjacking framing protection detects the origin of the framing window and compares it against a fixed value or list. The function prevents NWBC for HTML applications from being embedded into other web applications, unless you trust the application source. You define trusted domains in a whitelist for clickjacking framing protection.

To enable the global clickjacking framing protection functionality for NWBC for HTML as well as for any other UI frameworks being exposed in the NWBC, maintain the whitelist for clickjacking framing protection.

For more information, search for Using a Whitelist for Clickjacking Framing Protection in the SAP NetWeaver documentation in the SAP Help Portal http://www.help.sap.com (see under  http://help.sap.com/netweaver  Security Guide  Security Guides for SAP NetWeaver Functional Units  Security Guides for the Application Server  Security Guides for AS ABAP  SAP NetWeaver Application Server for ABAP Security Guide  Special Topics ).