For session security, SAP HANA XS automatically configures the session cookie xsSessionId with the attribute HttpOnly. However, the attribute secure is not supported. If you use a reverse proxy (instead of SAP Web Dispatcher) in your system landscape, you can add this attribute by configuring the reverse proxy with a header rewrite rule on the Set-Cookie header.
A token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway and SAP HANA XS SAP Fiori OData services. It protects all modifying requests.
For more information about defining access to individual application packages in SAP HANA XS, see SAP Help Portal at http://help.sap.com/hana_platform.