SAP NetWeaver comes with its own solution to prevent clickjacking for its most relevant UI frameworks. For more information about this protection, see the corresponding SAP Notes.
By default, clickjacking protection is disabled. To activate it, you need to insert a value into table HTTP_WHITELIST.
Insert values into table HTTP_WHITELIST
Check if clickjacking protection service is enabled or disabled. It is disabled, if no record with ENTRY_TYPE=30 is in the table, or if the table is empty.
Table name: HTTP_WHITELIST
By default, no values are in the table and the service is not enabled. For data that needs to be inserted into table HTTP_WHITELIST, see SAP Note 2142551. Creating an entry type with vale 30 activates the whitelist.
Select F5 or click on the new entry icon.
Insert data. See links below for additional information on possible values.
Click save to persist the entry in the table.
Afterwards, the table will contain one record. As the record has value 30 for column ENTRY_TYPE, the clickjacking protection service is enabled.
Activate ICF whitelist service
Adding a record activates the service, but to make apps working, additional configuration steps must be taken. For instance, accessing now a WDA app (e.g. SAML2) will resolve in a HTTP 500 internal server error. This is caused by having the clickjacking protection activated, but not the whitelist service.
To solve the HTTP 500 error, you need to activate the ICF whitelist service.
Transaction SICF_INST Technical name: UICS_BASIC
Execute. This will activate the ICF node
After enabling the service and the ICF node, the above WDA app will open in the browser.
Additional information on setting whitelist entries.