Skip to Content
Author's profile photo Thomas Jung

SAP HANA SPS 09: New Developer Features; Miscellaneous Security Features

This blog is part of the larger series on all new developer features in SAP HANA SPS 09:

In this blog we will have a first look at the new miscellaneous security features added to development model in SAP HANA SPS 09.

Full CORS (Cross-Origin Resource Sharing) Support.

Since SPS 06, we’ve had basic CORS support which could be configured at the package level.  This support allowed you to either enable or disable CORS, but in SPS 09 we expand the configuration options to allow filtering by origins, headers and http methods.


Custom Headers/X-Frame

This new feature allows you to control if the browser should allow a page within this HANA page to be rendered within a frame, iframe, or object.  This helps to avoid clickjacking attacks by keeping content from being embedded within a malicious site.

Possible values:

  • DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
  • ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.


Various Authentication Features

  • Secure HTTP Session Cookies
  • Support for Clietn Certificates from F5’s Big IP
  • SAML Single Logout (SLO) support
  • SAML Authentication in Authorization header

Support for Virus Scan Interface (VSI) for applications

New XSJS API ($.security.AntiVirus) to access and use the SAP Virus Scan Interface from your server side JavaScript coding.

  • The scan needs a Virus Scan Adapter (VSA) to be installed on the host
  • The setup and configuration is available with SAP note 2081108
  • This class uses the SAP certified interface NW-VSI 2.00 (see SAP note 1883424)
  • For a list of the AV products supported, see SAP note 1494278

Code Sample for using the new Virus Scan Interface from XSJS:

try {
  //create a new $.security.AntiVirus object using the default profile
  var av = new $.security.AntiVirus();
} catch (e) {

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Timothy Muchena
      Timothy Muchena


      Thank you for the updates.

      Kind regards

      Author's profile photo Former Member
      Former Member

      Hi Thomas,

      Can you please recommend the best way to create CORS enabled OData requests on HANA SPS09 with authentication?

      I tried XSADMIN as well as  XSACCESS without success



      Author's profile photo Thomas Jung
      Thomas Jung
      Blog Post Author

      Perhaps its best if you create a forum thread for your problem. Describe what you have tried and what problem you've encountered.  You haven't really described much here; certainly not enough to answer based upon.

      Author's profile photo Former Member
      Former Member

      My apologies Thomas.

      I created a thread here Allowing CORS on OData with authentication in HANA SPS09