Skip to content

Main Areas of Intervention for SAP Fiori Security

SAP Fiori

SAP Fiori is the latest UI technology from SAP that enhances user experience by providing intuitive and responsive user interfaces for SAP applications. As organizations embrace the power of Fiori, it becomes paramount to prioritize the security of these applications. Recently our partner Bowbridge published Six Steps to Improve SAP FIORI Security, and today we will illustrate the seven main areas of intervention for SAP Fiori, ensuring the protection of your data and systems. 


Securing the stack involves understanding the technology layers. SAP Fiori follows the MVC (Model, View, Controller) principle. The Model represents data and business logic, managing data persistence, retrieval, and computations. The View presents the user interface, including forms, buttons, and tables, rendering data from the Model, whereas the Controller acts as the intermediary, processing user input, updating the Model, and triggering changes in the View. 

On the development side, data exchange occurs through OData services. OData plays a critical role in SAP Fiori, enabling data integration, standardization, and interoperability. It empowers Fiori apps to retrieve, manipulate, and consume data from backend systems using RESTful APIs, ensuring a seamless user experience. 

To secure SAP Fiori, you should consider focusing on the following main area of intervention:

1. Network and Communication Security

All communications between the SAP Fiori Client app on the device and target servers must be strongly encrypted. SAP Fiori Client utilizes the HTTPS protocol for network connections, guaranteeing that data transmission is secure and safeguarded against unauthorized access.

2. User Authentication and Single Sign-On (SSO)

User authentication and single sign-on mechanisms play a crucial role in SAP Fiori security too. The choice of these security authentication and SSO methods depends on whether SAP Fiori Client connects directly to the front-end server, SAP Mobile Platform Server, or SAP Cloud Platform mobile service for development and operations. Implementing robust authentication protocols, such as two-factor authentication, significantly enhances the security of SAP Fiori applications and safeguards user identities.

3. Secure Storage of Data on Device

The local storage of data in mobile apps is a common vulnerability that needs to be addressed in SAP Fiori security. SAP Fiori Client incorporates various measures to ensure the security of persistent data stored on the device. These measures include data encryption, secure key management, and sandboxing techniques that isolate app data from other applications on the device. By implementing these security measures, organizations can rest assured that sensitive data remains protected even if the device is lost or stolen.

4. Access to Native Device Capabilities

Certain SAP Fiori apps leverage native device capabilities, such as the camera, contacts, calendar, and geolocation. By implementing proper authorization mechanisms and permissions, organizations can mitigate the risks associated with unauthorized access to native device capabilities and maintain the overall security of the SAP Fiori ecosystem. 

5. Data Protection and Privacy

Organizations must comply with general data privacy regulations and industry-specific legislation in different countries and therefore need to address these within their SAP Fiori security concept. SAP provides specific features and functions to support compliance with relevant legal requirements, including data protection. However, it is crucial to assess the specific system landscape and applicable legal requirements to determine the most suitable approach for data protection.

6. Virus Scanning

To bolster the security of backend systems that process critical data, organizations can opt to implement virus scanning for data uploads. Before being passed into the SAP content repository, documents such as office documents, PDFs, or executable content should undergo thorough scanning for virus/malware infections.

7. Clickjacking Framing Protection

In the realm of cybersecurity, clickjacking or UI redressing attacks pose significant risks. These malicious tactics manipulate user clicks to trigger unintended actions within an application, deceiving users into interacting with potentially harmful elements. SAP addresses this threat by offering a robust whitelist-based framework specifically designed for SAP NetWeaver technologies.


The world of SAP Fiori and the SAPUI5 controls offers many new possibilities for enterprises; however, security is a critical aspect that should never be neglected. By implementing essential security measures and best practices, organizations can ensure the protection of their data and systems. Do you want to have a complete overview of SAP Fiori Security and gain access to all the necessary security measures to protect your systems? Do not hesitate to download our latest white paper here.

Posted by 

Christoph Nagy

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.