Symptom
SAP Third Party Audit against Fiori application or UI5 designed application with the following descriptions:
Issue #1: Modern browsers support many HTTP headers that can improve web application security to protect against clickjacking, cross-site scripting, and other common attacks. Application do not have security header in place.
-
-
- Flagged URL audits against the following:
<SAPUI5 available host>/resources/sap-ui5-core.js - Audit Recommendation 1: It is recommended to implement all the necessary security headers as per the business requirements.
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
X-XSS-Protection
- Audit Recommendation 2: For Cache-Control
Cache-Control: no-cache, no-store
Expires: 0
- Flagged URL audits against the following:
-
Issue #2: Misconfigured Access-Control-Allow-Origin
header. This header allows the defined third party to access a given resource.
-
-
- Flagged URL audits against the following:
<SAPUI5 available host>/resources/sap-ui5-core.js
with the response header
Access-Control-Allow-Origin: * - Audit Recommendation: It is recommended to configure the
Access-Control-Allow-Origin
response header correctly throughout the application. If any request comes from untrusted origin, the request must be rejected by the server. It may seem obvious, but origins specified in the Access-Control-AllowOrigin header should only be sites that are trusted. Dynamically reflecting origins from cross-domain requests without validation is readily exploitable and should be avoided.
- Flagged URL audits against the following:
-
Read more...
Environment
- BTP - all versions
- S/4HANA - all versions
Product
Keywords
security vulnerability, Content-Security-Policy
(CSP), security violation SAPUI5, Access-Control-Allow-Origin: *,
clickjacking, X-Frame-Options, Security Audits, X-Content-Type-Options,
Sensitive Information, outdated X-XSS-Protection,
security sap-ui-core.js, security SAPUI5 CDN, cdm.js, security core-min-0.js, security core-min-1.js, security core-min-2.js, core-min-3.js, abap.js, Network Tab, OData Call, SAP Business Application Studio, CAP NodeJS, SAPUI5, UI Masking, GRC-UDS-DO, BTP Platform, GET, POST, HTTP Methods. , KBA , CA-UI5-DLV , UI5 ABAP delivery tools , CA-UI5-COR , Core and Runtime , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.