SAP Fiori client applications are HTML5 applications that access multiple back-end systems. However, JavaScript code is constrained by the Same Origin Policy. For this reason, all systems are exposed to the browser through SAP Web Dispatcher (or a reverse proxy), which brings them into a common origin (combination of protocol, hostname, and port).
In addition to solving the same origin problem, this enables you to control which services are effectively exposed to the client, reducing the system attack surface.
We recommend that only those requests corresponding to the services required for the applications that you want to use should be routed to the application servers. To do this, you can configure URL filtering/routing at SAP Web Dispatcher or reverse proxy level.
Transactional apps
If you use transactional apps only in the intranet zone, implementing SAP Web Dispatcher is not obligatory.
If you use transactional apps supported for consumption by Internet clients, see Internet-Facing Deployment.
Analytical apps
Analytical apps consume OData services exposed by SAP HANA. We recommend explicitly restricting access to those OData services actively used by configuring respective redirection rules in SAP Web Dispatcher or the reverse proxy of your choice. For more information about configuring SAP Web Dispatcher for analytical apps, see the Configuration section in the Central Implementation Information for analytical apps.
Search in SAP Fiori Launchpad
Searching in SAP Fiori Launchpad triggers requests towards the ABAP back-end server.
For more information about enabling the search, see the Configuration section in the Central Implementation Information for transactional apps and fact sheets.
For more information about using SAP Web Dispatcher as a URL filter, see the following documentation:
For SAP NetWeaver 7.31, see the SAP Help Portal at
.For SAP NetWeaver 7.40, see the SAP Help Portal at
.