Transport Security
Transport security comprises topics such as encryption and session security.
Security on the client and server side is not sufficient if the data transport between client and server can be read, intercepted, or even modified by an attacker. Per default, HTTP communication is stateless and unencrypted and this makes it necessary to configure it in a way that it is using encrypted connections and to add session handling on top using either cookies or URL rewriting.
Sending the HTTP protocol over a SSL secured connection is not only standardized, but also required for SAP applications.
SAPUI5 fully supports the use of HTTPS, but there are some restrictions regarding the CDN version of SAPUI5 when HTTPS is used. It is recommended to enable or at least to test SSL connections in an early stage of application development, as usually switching to HTTPS causes some issues. First of all, when the application is started using HTTPS, the SAPUI5 library also has to be loaded from an HTTPS server. Second, Internet Explorer 8 and 9 have some additional restrictions regarding cross-origin requests with HTTPS, which are related to the security zone concept.
Even if the data transport is secured using SSL or TLS, there are possibilities to hijack such a secure connection and sending malicious requests from the client. Cross-site request forgery and session fixation are two of the prominent examples of this class of attacks.
SAPUI5 does only provide XSRF prevention for the data, which is sent to the server by SAPUI5. Currently this only happens in the OData Model, where a XSRF token is read from the server and used for subsequent write requests.
Application is responsible for using XSRF header or other mechanisms to prevent XSRF for all other server communication triggered by the application.