| loio |
|---|
| 91f3e6056f4d1014b6dd926db0e91070 |
view on: demo kit nightly build | demo kit latest release
Transport security comprises topics such as encryption and session security.
Security on the client and server side is not sufficient if the data transport between client and server can be read, intercepted, or even modified by an attacker. Per default, HTTP communication is stateless and unencrypted and this makes it necessary to configure it in a way that it uses encrypted connections and to add session handling on top using either cookies or URL rewriting.
Sending the HTTP protocol over a SSL secured connection is not only standardized, but also required for SAP applications.
OpenUI5 fully supports the use of HTTPS, but there are some restrictions regarding the CDN version of OpenUI5 when HTTPS is used. It is recommended to enable or at least to test SSL connections in an early stage of application development, as usually switching to HTTPS causes some issues. When the application is started using HTTPS, the OpenUI5 library also has to be loaded from an HTTPS server.
Even if the data transport is secured using SSL or TLS, there are possibilities to hijack such a secure connection and send malicious requests from the client. Cross-site request forgery and session fixation are two of the prominent examples of this class of attacks.
OpenUI5 does only provide XSRF prevention for the data, which is sent to the server by OpenUI5. Currently this only happens in the OData Model, where a XSRF token is read from the server and used for subsequent write requests.
The application is responsible for using the XSRF header or other mechanisms to prevent XSRF for all other server communication triggered by the application.