SAP Knowledge Base Article - Preview

3585379 - SAPUI5 Security: SAPUI5 CDN does not have security headers in place

Symptom

SAP Third Party Audit against Fiori application or UI5 designed application with the following descriptions:

Issue #1: Modern browsers support many HTTP headers that can improve web application security to protect against clickjacking, cross-site scripting, and other common attacks. Application do not have security header in place. 

      • Flagged URL audits against the following:
        <SAPUI5 available host>/resources/sap-ui5-core.js
      • Audit Recommendation 1: It is recommended to implement all the necessary security headers as per the business requirements.
        • Content-Security-Policy
        • X-Frame-Options
        • X-Content-Type-Options
        • X-XSS-Protection
      • Audit Recommendation 2: For Cache-Control
        • Cache-Control: no-cache, no-store
        • Expires: 0

Issue #2:  Misconfigured Access-Control-Allow-Origin header. This header allows the defined third party to access a given resource. 

      • Flagged URL audits against the following:
        <SAPUI5 available host>/resources/sap-ui5-core.js
        with the response header
        Access-Control-Allow-Origin: *
      • Audit Recommendation:  It is recommended to configure the Access-Control-Allow-Origin response header correctly throughout the application. If any request comes from untrusted origin, the request must be rejected by the server. It may seem obvious, but origins specified in the Access-Control-AllowOrigin header should only be sites that are trusted. Dynamically reflecting origins from cross-domain requests without validation is readily exploitable and should be avoided. 


Read more...

Environment

  • BTP - all versions
  • S/4HANA - all versions

Product

SAP BTP, Neo environment 1.0 ; SAP S/4HANA 2020 ; SAP S/4HANA 2022 ; SAP S/4HANA 2023

Keywords

security vulnerability, Content-Security-Policy (CSP), security violation SAPUI5, Access-Control-Allow-Origin: *,clickjacking, X-Frame-Options, Security Audits, X-Content-Type-Options,Sensitive Information, outdated X-XSS-Protection,security sap-ui-core.js, security SAPUI5 CDN, cdm.js, security core-min-0.js, security core-min-1.js, security core-min-2.js, core-min-3.js, abap.js,  Network Tab, OData Call, SAP Business Application Studio, CAP NodeJS, SAPUI5, UI Masking, GRC-UDS-DO, BTP Platform, GET, POST, HTTP Methods. , KBA , CA-UI5-DLV , UI5 ABAP delivery tools , CA-UI5-COR , Core and Runtime , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.