Security Aspects for UI Theme Designer

Network security

You can run the UI theme designer both in http and https mode. To protect your data privacy, we recommend you use https mode (secure browsing mode).

ICF nodes

For security reasons, all Internet Communication Framework (ICF) services are available in an inactive state. You have to decide which services must be activated for the applications you want to use.

To be able to use the UI theme designer tool (for example, creating themes), activate the following ICF nodes:

• /sap/public/bc/themes
• /sap/bc/theming

Authentication and Authorization Checks

Authentication is required to access the UI theme designer.

For write access to the UI theme designer (create, update, delete themes), you must be assigned the relevant authorization object:

XSRF protection

The UI theme designer provides mechanisms to ensure protection against XSRF (Cross-Site Request Forgery) attempts. A given request (for example, creating a new directory in the theme repository) is only accepted if it contains a valid XSRF token prohibiting protection against such attacks.

For more information, see SAP note 1551982.

Virus scan for file upload

A virus scan is run for all files uploaded to the theme repository.

However, no virus scan is run for files uploaded to the tool’s local storage.

Local storage

You can save your theme draft in the browser's persistent storage. Since this is not a secure storage, you should not use it to store sensitive data. Moreover, your theme data might be lost if you delete the browser's cache.

ICF nodes

To enable productive use of themes, activate the following ICF node:

/sap/public/bc/themes

The ICF node sap/bc/theming must not be activated.

Whitelist check for Web Dynpro ABAP

For the productive use of themes for Web Dynpro ABAP applications, a whitelist check is available. The security risk list (table HTTP_WHITELIST ) is applied.

For more information, see the SAP Library for SAP NetWeaver and search for Security Risk List.