Configuring HTTP Context Types

For each phase in whitelist management, choose appropriate check modes for the available HTTP context types.

Perform the following steps to configure the individual HTTP context types:

In transaction UCONCOCKPIT, choose the HTTP Whitelist scenario.
You can now configure check modes for four different HTTP context types:
- Trusted Network Zone: Lists URL patterns for which a redirect is allowed or blocked.
- Clickjacking Framing Protection: Special context type for clickjacking protection.
  You can configure Clickjacking Framing Protection either directly using the table HTTP_WHITELIST (see Using a Whitelist for Clickjacking Framing Protection) or using the UCON whitelist scenario. If UCON is already used in your system, a dialog box appears when the scenario is called in the UCON Cockpit prompting you to select one of the two configuration methods. If you select the UCON whitelist scenario for the configuration, any manual changes made to the table HTTP_WHITELIST are ignored by the clickjacking check. If you have not yet used UCON management and are activating it for the first time, the UCON clickjacking check is activated automatically at the same time and the check using HTTP_WHITELIST is deactivated.
  In the UCON HTTP whitelist scenario, you also have the option of deactivating the entire clickjacking check. To do this, choose HTTP Whitelist Configuration on the initial page of the whitelist scenario and remove the Activate clickjacking protection for all clients flag. Deactivating the clickjacking check is not recommended.
  
  Note
  
  To apply clickjacking framing protection in the UCON HTTP Whitelist scenario, you require a corresponding SAP UI version (see SAP Note 2507225 ).
- CSS Style Sheet: List of all CSS style sheets permitted for use in the GUI or blocked for the GUI.
- Cross-Origin Resource Sharing (CORS): Context type for the management of calls that want to perform specific actions (such as the HTTP methods GET, PUT, and POST) on the server in question.
For each of these, choose one of the following options for Mode:

Note

The log entries are checked and managed in three distinct steps: Logging, simulation, and final phase. The following settings are determined by your current check phase. For more information about the individual phases, see also HTTP Whitelist Scenario: Process.
- Logging: No check is made (logging phase).
- Simulated Check: A check is made to see whether a URL is covered by a pattern in the whitelist (but no error is raised simulation phase)).
- Active Check: A check is made. If the URL in question is not covered by a pattern in the whitelist, an error is displayed (final phase).
Choose Save to activate the chosen check and logging modes.
Wait until the log entries for the HTTP context type in question are available in the system and then continue with the next steps (Displaying Log Entries and Editing HTTP Whitelists and No-Log Lists).