How to Avoid Caching of Confidential Data
When building SAP Fiori-like custom applications customers may have the concern that confidential data may be cached by the browser and may thus potentially remain on the device.
To avoid this behavior the response of our SAP NetWeaver Gateway OData service has to contain the following values in the HTTP header:
cache-control no-cache, no-store
pragma no-cache
There is fortunately the option for the SAP NetWeaver Gateway developer to instruct the User Agent not to cache specific data if needed.
We will enhance the simple sample service showing product data that I have descirbed in the following whitepaper
How to Develop a Gateway Service using Code based Implementation
The only thing we have to do is to add the following coding into the GET_ENTITYSET method I have taken from the SAP Online Help.
data: ls_header type ihttpnvp.
ls_header–name = ‘Cache-Control’.
ls_header–value = ‘no-cache, no-store’.
set_header( ls_header ).
ls_header–name = ‘Pragma’.
ls_header–value = ‘no-cache’.
set_header( ls_header ).
When running the following URI /sap/opu/odata/sap/ZPRODUCT_SRV/ProductSet in the SAP NetWeaver Gateway Client you will notice that the appropriate header values have been set.
Thank you Andre, as discussed we need + will implement this behaviour in a customer mobile Gateway App.
Hello Andre,
One quick question: I added two new fields in dev system and I am able to see the new fields in the metadata where as I am not getting Cache-control and Pragma in the HTTP response in Dev Environment.
I have moved the same transport to QA and I am not able to see the new fields in the metadata.I compared the version in both DEV and QA, these are same.
1) Cleared the cache in both front end and back end in QA.
2) In HTTP response I am getting Cache-control and Pragma in QA Environment.
Can you please let us know ASAP, as we got stuck here.
Not able to see the added new fields in Quality system
And also one more pointer:
1) Please find the screen shots for DEV and QA for HTTP Responses.
2) Is there any difference in Server Protocol HTTP/1.0 and HTTP 1.1
3) In Dev it is showing as HTTP/1.0 and in QA it is showing as HTTP/1.1
http://help.sap.com/saphelp_nw73/helpdata/en/4a/96b778948f5ff2e10000000a421937/content.htm
Can you please let us know is anything stopping us because of this HTTP Responses.
Thanks
Vijay
Hi Vijay,
the difference in both screen shots is not only the system but also the URL being called.
In HQA you call the URL of the service document whereas in HQU you call the URL of the $metadata document.
So you should try to call the same URL's
<service_root_URL>?$format=xml and
<service_root_URL>/$metadata in both systems and only compare the response of the same URL .
Regards,
Andre
Hi Andre,
Sorry Wrong screenshot:
Please find below, even though I called with $metadata, am getting the same HTTP Response in QA.
Thanks
Vijay
Hi Andre,
Any thing which we need to look into HTTP headers ( max_age, expires ) etc..
Thanks,
Vijay
thanks, awesome stuff. I would like to know more about security with ODATA and SAPUI5. I think security is becoming fast the most important thing about developing software... And we're very exposed with Web Applications so yeah, I'd take a course on that, if there is one.
Hi Andre,
thanks. Very interesting stuff. Following your advice I was able to add HTTP headers. However, our frontend developers use batch requests per default.
And in that case the header values are missing. Makes kind of sense as there might be conflicts if we have several requests in one batch.
Is there a similar way to add the same HTTP headers in that case?
Thanks and regards
Meinrad