Skip to Content
Author's profile photo Andre Fischer

How to Avoid Caching of Confidential Data

When building SAP Fiori-like custom applications customers may have the concern that confidential data may be cached by the browser and may thus potentially remain on the device.

To avoid this behavior the response of our SAP NetWeaver Gateway OData service has to contain the following values in the HTTP header:

cache-control no-cache, no-store

pragma no-cache

There is fortunately the option for the SAP NetWeaver Gateway developer to instruct the User Agent not to cache specific data if needed.

We will enhance the simple sample service showing product data that I have descirbed in the following whitepaper

How to Develop a Gateway Service using Code based Implementation

The only thing we have to do is to add the following coding into the GET_ENTITYSET method I have taken from the SAP Online Help.

data: ls_header type ihttpnvp.

ls_headername = ‘Cache-Control’.

ls_headervalue = ‘no-cache, no-store’.

set_header( ls_header ).

ls_headername = ‘Pragma’.

ls_headervalue = ‘no-cache’.

set_header( ls_header ).

When running the following URI /sap/opu/odata/sap/ZPRODUCT_SRV/ProductSet in the SAP NetWeaver Gateway Client you will notice that the appropriate header values have been set.

no cache response.PNG

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo William van Strien
      William van Strien

      Thank you Andre, as discussed we need + will implement this behaviour in a customer mobile Gateway App.

      Author's profile photo Vijay Vegesana
      Vijay Vegesana

      Hello Andre,

      One quick question: I added two new fields in dev system and I am able to see the new fields in the metadata where as I am not getting Cache-control and Pragma in the HTTP response in Dev Environment.

      I have moved the same transport to QA and I am not able to see the new fields in the metadata.I compared the version in both DEV and QA, these are same.

      1) Cleared the cache in both front end and back end in QA.

      2) In HTTP response I am getting Cache-control and Pragma in QA Environment.

      Can you please let us know ASAP, as we got stuck here.

      Not able to see the added new fields in Quality system

      And also one more pointer:

      1) Please find the screen shots for DEV and QA for HTTP Responses.

      2) Is there any difference in Server Protocol HTTP/1.0 and HTTP 1.1

      3) In Dev it is showing as HTTP/1.0 and in QA it is showing as HTTP/1.1


      Can you please let us know is anything stopping us because of this HTTP Responses.



      Author's profile photo Andre Fischer
      Andre Fischer
      Blog Post Author

      Hi Vijay,

      the difference in both screen shots is not only the system but also the URL being called.

      In HQA you call the URL of the service document whereas in HQU you call the URL of the $metadata document.

      So you should try to call the same URL's

      <service_root_URL>?$format=xml and

      <service_root_URL>/$metadata in both systems and only compare the response of the same URL .



      Author's profile photo Vijay Vegesana
      Vijay Vegesana

      Hi Andre,

      Sorry Wrong screenshot:

      Please find below, even though I called with $metadata, am getting the same HTTP Response in QA.




      Author's profile photo Vijay Vegesana
      Vijay Vegesana

      Hi Andre,

      Any thing which we need to look into HTTP headers ( max_age, expires ) etc..



      Author's profile photo Ioan Radulescu
      Ioan Radulescu

      thanks, awesome stuff. I would like to know more about security with ODATA and SAPUI5. I think security is becoming fast the most important thing about developing software... And we're very exposed with Web Applications so yeah, I'd take a course on that, if there is one.

      Author's profile photo Meinrad Funke
      Meinrad Funke

      Hi Andre,

      thanks. Very interesting stuff. Following your advice I was able to add HTTP headers.  However, our frontend developers use batch requests per default.

      And in that case the header values are missing. Makes kind of sense as there might be conflicts if we have several requests in one batch.

      Is there a similar way to add the same HTTP headers in that case?


      Thanks and regards