Show TOC

Configuring SAP HANA XS Session SecurityLocate this document in the navigation structure


For session security, SAP HANA XS automatically configures the session cookie xsSessionId with the attribute HttpOnly. However, the attribute secure is not supported. If you use a reverse proxy (instead of SAP Web Dispatcher) in your system landscape, you can add this attribute by configuring the reverse proxy with a header rewrite rule on the Set-Cookie header.


A token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway and SAP HANA XS SAP Fiori OData services. It protects all modifying requests.

More Information

For more information about defining access to individual application packages in SAP HANA XS, see SAP Help Portal at of the navigation path Development and Modeling Next navigation step SAP HANA Developer Guide for SAP HANA Studio Next navigation step Setting Up Your Application Next navigation step Creating the Application Descriptors Next navigation step Enable Access to SAP HANA XS Application Packages End of the navigation path.